Remote 'Root' Exploit in IIS 5.0 184
eEye Digital Security
was doing some testing that apparently Microsoft hadn't done on its own webserver (IIS 5.0) running on its latest OS (Windows 2000, all versions). "Within a matter of minutes," they say, "a debugger kicked in on inetinfo.exe because of a 'buffer overflow error'" -- and two weeks later, we got simultaneous announcements from Microsoft and eEye. This is a remote SYSTEM-level exploit in a popular webserver, in the wild, i.e., Danger Will Robinson. eEye says about a million servers will need to be patched;
it may be more.
Go see
Microsoft's writeup and patch.
See also
eEye's droll and informative writeup,
which, now that an exploit is confirmed to be in the wild today, has added some source code.
Re:Apache can run as 'nobody' Why does IIS need ro (Score:1)
Of course (Score:1)
Re:Bad news about MS, let the games begin (Score:1)
Re:Um, well, kernel 2.4.3 has integrated WWW suppo (Score:1)
Thanks for FUDing, please drive thru.
Re:bottom line (Score:1)
Have to configure a service? I beg to differ. My boxes get portscanned a couple dozen times a day. About a third of those scans appear to be coming from Redhat default server installs that were compromised by scripts running on some other Redhat default server install that was compromised by scripts running on some other Redhat default server install that was ...
I hold Redhat responsible for all these portscans to the same extent that I hold Microsoft responsible for the hundreds of Outlook viruses that have appeared in my inbox. Fortunately, neither affects me much, but I know they affect others.
eEye? (Score:2)
LOL (Score:2)
Re:The Media (Score:2)
BIND is not enabled by default on most distros.
This is news because it is the worst kind of security hole possible, and its exploitable on a default version of win2000.
An exercise for the reader: modify the exploit given to install a DDoS client, and then write a PERL script that trys the exploit against sequential IP addresses.
The kiddies are falling over each other doing exactly that. The exploit has been out for a few days or so, and I've ALREADY got firewall logs of someone scanning my entire class C for it! This will no doubt end up being even bigger than the rpc.statd in redhat 6.2 exploit in terms of mass exploitation for DDoS purposes.
Re:No need to worry! (Score:2)
Also, I am a bit annoyed with assumption that if it ever were possible to create a security problem that could only be exploited by female attackers, this security problem would then automatically be minor, since the women obviously are no threat. Not only would many women I know find that attitude insulting, underestimating someone because of their gender can be downright dangerous.
Yeah, I know I'm overanalyzing a joke, which one of the lamest things around; there's I reason this is anonymous. Suppose however that it was discovered that servers painted darker colors ran poorer because they kept overheating, and that in some cases painting a server white made it work better. Would you even _think_ of posting something along the lines of "so _that's_ why my black/hispanic/vietnamese co-workers are so damn lazy"? I mean, maybe some anonymous coward would, but that comment would get moderated into oblivion faster than a speeding mouse. That this got a 5 is just more evidence that way, way too many people have moderator points.
Apache can run as 'nobody' Why does IIS need root? (Score:3)
Will the 'fix' from Microsoft involve IIS running with user level privs? I betcha it won't.
Re:One of the better quotes (Score:3)
Bad news about MS, let the games begin (Score:4)
CmdrSprk writes: Another MS Bug FA-MSP Editor Biachezzzz!!!!! I 0wn3z j00! Sporks rule!
No need to worry! (Score:5)
This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
Only females can exploit this hole!*
*Not to be taken out of context
Re:So.... (Score:5)
Actually, 1 million is probably accurate... (Score:3)
- A.P.
--
Forget Napster. Why not really break the law?
Re:Apache can run as 'nobody' Why does IIS need ro (Score:1)
Re:The Media (Score:2)
Re:Read Closer. (Score:4)
No, the install should simply be secure by default. I would apply the same standard to Linux distributions, and they often fail the test. Microsoft isn't alone here but I don't think this makes it "right". It just makes it common.
Not unexpected... (Score:1)
Anyone running printer services over the Internet on a server is an utter moron
True, if s/Internet/web/ . But what else can Microsoft do? They're losing SMB print server share to Samba, so they've got to start using something else.
Maybe someone should start a pool on when Microsoft will be removing SMB printing capabilities from their desktop OS...
Input validation seems to be the big category (Score:1)
Indeed - if we are to believe tallying the number of entries in each category given on the security focus page you mention, it would seem that "input validation" is the most common type of security error.
Looking at those vulnerabilities though leads me to conclude that "input validation" is too broad a category - unfortunately, I'm not sure how to divide it up.
Re:The problem is IIS running as system (Score:1)
The problem is IIS running as system (Score:2)
It needs to be said that there are equivalent stuff on Linux: Most distributions have a BIND package that runs as root, WU-FTPD as well...
Re:Microsoft Writeup - Genders? (Score:1)
#define X(x,y) x##y
Re: Buffer Overflows... It's the language! (Score:1)
Re:Um, this is old news... (Score:5)
That's a local (not remote) root exploit in a not-commonly-installed tool.
That's a remote unprivileged-user (not root) exploit in a not-commonly-installed application.
That's a local (not remote) non-root exploit in a not-commonly-installed application.
That's, um, a DoS against Novell Border Manager.
I know it's fun and easy to bash Slashdot for being anti-Microsoft, especially when we report security news, but we don't ignore open-source problems [slashdot.org] and we only report vulnerabilities which are of pressing and widespread concern.
Jamie McCarthy
The sad thing (Score:1)
I think you're being unfair (Score:3)
A comparable Unix exploit would have been the recent BIND fiasco. And that got good coverage on
I get tired of MS bashing too. But I think there's a lot less of it here than there used to be. The article about Easel and Ximian took a lot of heat, but I think it was a healthy thing to post. We're still a long way away from looking at the ethics of some of the Linux IPOs, but it's a start.
This is a big security problem, and it was made worse by some questionable design decisions (automatic restarts, etc.). But the effect isn't really any worse than the recent BIND exploits.
And you could argue, as perhaps the OpenBSD guys might, that by not advising people to run BIND in a chroot jail, the ISC guys are being less responsible than MS, which has published security guidelines that protected the users who followed them from this particular exploit.
But what good does that do? The reality is that both Linux and Windows have their share of security problems. MS has a long list of bad decisions from a security point of view, but we have things like linuxconf. Sacrificing security for convenience isn't just a MS thing. And there are plenty of buffer overflows to go around.
We need to encourage everyone to think about security more seriously. We need to get companies to think about security from the beginning, instead of trying to bolt it on in the end. And we need to make sure that they respond quickly when problems do arise.
This just isn't a Linux vs. MS situation.
Re:What's the problem? (Score:1)
Freaker / TuC
Re:Grammatical rules (Score:1)
stupid rules were adopted at one time that
they should remain. People decide how they
will speak and if they so choose the language
changes and so will the rules.
That rules of the gender choice is illogical
and should be as we do in French and Spanish
which is whatever sounds the best according
to the way the words are spelled. A "table" is
feminine while a "lit" is masculine.
Who's they'll blame? (Score:2)
So soon there will be news on how another Pentagon server was screwed up, on how another major corp had his finances washed up and how another major pop-website with tons of kitch and whoolaprizes is "temporarly unavailable".
And who should be blamed for this? The script kiddies like in that 98 scandal with Solaris at Pentagon? The hackers that show how buggy and crappy is a piece of software (here m$ doesn't matter)? The OpenSource, GPL, freeware communities for being much more liberal in these matters? Or the commies for once again digging another hideous conspiration against the US, the Free World and my backyard?
Re:Why use IIS? (Score:1)
....
Just pretend to be professional for a second and use unix...
Personally, I prefer linux to any other operating system I have tried. But in my experience, it's quite hard to convince a business running more established platforms to change to an 'alternative' operating system. I've managed to convince the school I work at to replace one of the Netware servers with a linux machine running samba, but it wasn't easy.
The reason I asked the question in the first place was that I don't know the dis/advantages of using IIS or apache under win32.
Why use IIS? (Score:2)
My question is, why not run apache on Windows NT/2000? Does IIS have any major advantages over apache and the wide range of addons which are available for it?
Interesting quip from Gartner (Score:2)
I'm know I'm probably just adding fuel to the fire, but I'm curious how true that sentiment is.
-OT
Re:Actually, 1 million is probably accurate... (Score:1)
This is certainly the case where I work. See, with load-balancing, and extreme over-provisioning (or maybe recognition that MS solutions consume hardware at a rate aproaching 8-sideways), we have probably nearly 100 NT servers now. With the recent economic downturn, it is pretty much a given that we will be sticking with the status-quo for probably the remainder of the year. That means running servers with NT 4.0 SP 6a (since apparently SP7 is only available in orbit), with the associated software (IIS 4, etc).
Ah well, it makes life interesting at least. 8^)
Re:Stop, wait, don't flame. (Score:1)
Re:Why use IIS? (Score:1)
I made the decision to Apache because the W2K environment has better development tools.
But there is one thing to remember W2K is REALLY GOOD, just do not run any MS software on top of it. Then things become very unstable very quickly.
Re:When you try to be the end all be all (Score:1)
And yet when they decide that Bluetooth or USB 2.0 support is too flaky to put in before the initial release of XP, people here howl and moan. Damned if ya do, damned if ya don't.
Cheers,
Re:Apparently, yes (Score:1)
Well, I had tested the exploit against a Win2K Pro SP1 machine with IIS (PWS) installed and it didn't crash IIS. On another Pro SP1 machine, I installed the patch, and haven't had any ill effects for few days that it's been installed. So, at first glance, it doesn't seem like eEye's exploit works against Pro, but I took steps anyway, and recommend that others do the same. I just renamed msw3prt.dll in the System32 and dllcache directories.
Cheers,
Re:Read Closer. (Score:1)
Don't blame Ford when you had your keys to a 3 yr old and they wreck the car....
If the car looked like a toy and was easy to use for the three year old, and on top of this, was of a major brand (i.e. had cred), I would...
The Slash Dotcasting Company (Score:2)
[annoying organ music]
Kids, don't forget to send in those Ovalteem labels for your free Windows XP Product Activation DECODER RINGS!
Tune in next week for our latest episode - Clippy's Revenge!
[more annoying organ music, followed by station identification]
Re:Ugh. (Score:2)
--
Re:Read Closer. (Score:2)
--
Re:bottom line (Score:2)
How else would you run printer services over the Internet, assuming that's what you require? Throw an HP JetDirect box next to your router? Or set up an IPP daemon on a server you can secure, printing to the printers, and lock it down?
As an aside, are there any good, securable IPP daemons for any OS out there yet? I haven't touched Win2000's IPP service yet, and haven't had much chance to look into CUPS on Linux.
--
Re:Microsoft Announces New "RemoteRoot" Feature (Score:3)
--
Re:What's the problem? (Score:5)
--
Re:When you try to be the end all be all (Score:1)
If IBM's Websphere had an exploit would anyone care? No.
If Sun's iPlanet webserver had a big gaping root exploit, would anyone care? No.
If Netscapes crappy web server had issues, would anyone care? No.
The only reason IIS (and apache) make big news is because they're the biggest players, and they have the largest groups of zealots on both sides drawing attention to itself.
Any piece of software is going to have bugs -- If it's job is to serve material over the net, there's going to be some sort of exploit.
So there's another exploit. The vendor will patch it. Big deal. Move on with business.
~dlb
I liked Infomation Week's coverage better. (Score:1)
"IIS has been a cancer on Windows 2000," he says. "Including that code in the Windows 2000 base vs. it being a separate application was a huge mistake."
InformationWeek:How much more complex is Windows 2000 security compared with Windows NT 4.0? And in what ways is it more complex?
Fossen: It's roughly 10 times more complex. The security infrastructure of Windows 2000 includes Active Directory, Encrypting File System, Group Policy, IPSec, Kerberos, public key infrastructure, remote-access policies, and smart-card logon services. NT security is characterized by the ad hoc plugging of security holes; Windows 2000 security is characterized by the management of these security services to make security scale across an enterprise. Holes still need to be plugged, of course, but now there are built-in tools to make even that effort easier.
http://www.informationweek.com/story/IWK2001050
http://www.informationweek.com/834/winsec.htm
With Windows 2000's complexity and some poor design decisions, I have a feeling we will see more major security flaws in the future.
Re:Printing over the Internet (Score:1)
I can't imagine any valid use of an open printer to the internet...No self-respecting script-kiddie (yes I know that's an oxymoron) would drop by to pick up his/her printouts.
P.S. Note the correct form of denoting unknown gender
Re:Read Closer. (Score:1)
Re:Ugh. (Score:2)
But I also found the timing of the Microsoft announcement and the eEye announcement on Bugtraq interesting. They came out basically at the same time, and there is nothing about eEye's self-aggrandizing announcement that makes me think they would be particularly sensitive to protocl.
One of two things happened; either those eEye guys are more polite and rational than they sound, or else bugtraq held the announcements to coincide. Acutally I'm guessing both.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
language solutions (Score:3)
mov [ebp+var_4], 202h
when the buffer is actually only 101h bytes long. So eEye could of made a one byte patch and released this, fixed the problem and then gone to Microsoft to get them to fix it in the source. But that's not the way it goes down. Microsoft has to be the one that makes the patch and although they beat the 30 day average I think 11 days to release a patch is pretty shameful (openbsd would patch this in under 6 hours, 24 hours being the maximum). Especially considering that mumblings of this bug were on bugtraq before April 19.
So why? (Score:2)
Your post seems little more than an eloquent version of "Apache suxxors and IIS rules". Please tell us why IIS is a good choice.
Cheers
Misleading (Score:2)
IIS is faster for static content. Apache is faster for dynamic content (SSI, CGI, et cetera). Speed on static content is rather useless, as it doesn't take much of a box to saturate a reasonable connection with either IIS or Apache.
Oh, and there's an Apache module for asp.
Cheers
Buffer Overflows (Score:5)
The vast majority of security vulnerabilities are buffer overflows. This latest vulnerability extends this status quo. There are technologies out there that prevent this, however, almost all of these technologies slow down the system in some way or another. Examples include languages that allow dynamically sized arrays and other preventative measures.
CPU speed is growing such that it would appear that we could take a speed hit for increased security. Is it coming down to the fact that various organizations would rather market a fast webserver at the expense of a secure one? The $64,000 question is why the industry has not moved towards safer technologies that prevent these security holes.
Not that Microsoft is incredibly innovative on the security front, but they're hardly the only culprit. Many others rely on unsafe languages and techniques that allow these vulnerabilities to leak through.
When will it end? Is there any incentive to end?
Hats off to eEye (Score:3)
Of course, I'd be pretty upset too if a bunch of upstarts were singlehandedly obsoleting my practices and methodologies, like eEye (and groups like them) has done with "traditional" security consulting and management. I just hope all you people are watching now and paying attention to the contributions the security community gets from eEye's critics.
A published root hole in IIS is a coup for open source (when was the last "Administrator" break from Apache?). The disseminated fix will be a coup for full disclosure. Everybody wins. Except the dinosaurs.
bottom line (Score:4)
Thats the most common problem with server security, is the lack of knowledge of some of the administrators setting them up. They don't truly know what is running either via way of moronically not being intuitive enough to know what ports are open for what services and why, or just not having a clue altogether.
Funny how many would whore out including the staff of eEye. Instead or placing a nicely written morally sound write up, they overhype the issue to promote their product.
Lets not forget, what goes around comes around [attrition.org] as eEye has seen in the past. I've purchased programs via my company from eEye, and they're not all that, nor are their advisories. Someone should teach those guys humility.
As for Microsoft, its just another one of their flaws, so I don't see what the big deal is.
removing the dot in dot com [antioffline.com]
When you try to be the end all be all (Score:3)
Its a good thing for the OS community
Garret
Re:Why use IIS? (Score:3)
Apache can also authenticate against NT domain security using the SMB PAM module.
IIS is administered through a standard interface which is very friendly. There are a few of these available for Apache, most notably a great Webmin module.
Many old versions of Apache modules were a bitch to package (ie. PHP3). Newer ones (ie. PHP 4) package great, but compile-heads who prefer using non known-good software that isn't supported by their distro because it satisfies their pathetic egos still like compiing, and less epxerienced admins think that's the standard way to do it.
And its SYSTEM, not 'root', on an NT box.
Do you remember (Score:2)
I posted this yesterday (Score:2)
I submitted this story yesterday and was rejected.
2001-05-01 23:24:00 Another Major Security Hole in IIS (articles,microsoft) (rejected)
Lots of shirking... (Score:2)
A program can be provably invulnerable from certain attacks, but undecideable on other attacks. It's a shame that software most often fails on the most obvious and straightforward of fronts to defend: buffer overflows. Something along the lines of 30-60% of all exploits make use of buffer overflows. However, checking for such weaknesses can be carried out by a sufficiently capable automated tool. With as common a problem as buffer overflows have been, you would think that it would be foremost in people's minds when designing against flaws. If you left your door unlocked and were robbed seven times in a row, wouldn't you start locking your front door as the first measure?
It's a small example but indicative of a larger problem I am trying to frame. Software vendors, hobbyists, open source developers, just don't think about these things. They write software in an ad hoc fashion intended to be configurable and carry out a service, so intent on the goal that they fail to consider the larger context. They believe an exploit or a security flaw is something blatant and obvious in the code, or they base their assumptions on a narrower range of input than the application will be exposed to. And even in that case, they see a security flaw as just another bug to patch in the next release, as innocuous as the something like a memory leak.
Software that provides services is meant to do that. To everyone. And if not to everyone, to a select group of people who must be authenticated and authorized. Those mechanisms must be engineered to be extremely fault tolerant. Unfortunately, they often are not.
The software vendors to carry blame for this. Don't push this off onto system administrators for not knowing "how to configure" something. That's a poor excuse. They should be informed, of course, but their software should be secure, out of the box. Correct software isn't patchwork. It is carefully designed, carefully crafted to fit together but remain modular. It is not a series of patches with various nebulous origins to fix flaw after flaw in far flung parts of the code. Despite what you want to claim, secure, well-engineered software truly is a Cathedral, and not a Bazaar.
Simply throwing bugfixes at a problem won't fix and underlying engineering flaw. Throwing your code at people won't fix its design flaws. Take for example Kerberos. Nearly ten years it spent in the open source community as a secure protocol for providing services. The code was in the open and everyone just assumed that it was correct. In two weeks of studying the code at Purdue, a flaw was discovered that allowed the encryption to be subverted and tickets forged in less than a tenth of a second. The flaw had been in the code for ten years, because no one with enough training bothered to look for it.
Like I said, throwing patches at a problem isn't going to fix an engineering flaw, throwing your code at people isn't going to fix your design flaws. Until vendors realize this (which will probably be never) and start designing secure software from the ground up, there will always be buffer overflows, always exploits, always patches. A lot of services are set up to be turn-key, infeasible for the application to have a babysitter to patch the software night and day. Blaming system admins for their systems be penetrable? Who wrote the software again?
The horror! (Score:2)
Microsoft's Secret Exposed (Score:2)
I hear next month they're going to replace all their programmers with a large but finite number of monkeys. Code quality is expected to improve.
Re:Um, this is old news... (Score:5)
Right. And millions of stolen credit card numbers as a result is only proof of stupid admins, not stupid software.
Software has an obligation to setup secure by default, and insecure by the expressed will of the admin. Apparently with IIS and/or MSSQL this little bit of advice is forgotten.
You can go on and on about how anyone who bothered to read the docs would not setup the server in a vulnerable way, but this ignores an INCREDIBLY important aspect of human nature. That default computer usage should be reasonable is assumed by default. 80+% of all web users NEVER change their home page. In a simliar vein, most web admins simply use the default install, irrespective of the potential holes pr default passwords.
The default install has to work securely, plain and simple. For IIS or MSSQL, there are obvious reasons that your customers' business is not safe if you used the default install.
Re:Apache can run as 'nobody' Why does IIS need ro (Score:4)
To do this with apache, well, you're talking about extensions and helpers that break parts of apache and are security risks in their own right... "suexec" comes to mind... and apache still needs to run as root to let any of these work. Furthermore, does suexec work with php ? mod_perl ?.. or is it only a cgi-bin wrapper (i.e. killing apaches performance as a dynamic content server)
Fwiw, there may be better solutions than the old suexec on apache by now...
it is possible that via perhaps Impersonation, IIS could run as non-system and still have separate users and app protection etc, but thats tricky to program. There may be other reasons for IIS to run as system; what i've written is just a possibility.
One of the better quotes (Score:5)
Re:Read Closer. (Score:2)
A) This thing shouldn't have been installed by default. Oops on Microsoft.
B) If an admin is worth his weight in dirt he would have seen it already and canned it.
C) The MS coder that wrote something which would be included in a basic install should have been notified of this... and the code should have been properly audited. Odds are, whoever coded this ISAPI extension would have said upon notice that his extension would be in the default install something along the lines of, "WTF for? Nobody actually _uses_ this thing."
C would have fixed a few problems
Justin Buist
Re: (Score:2)
Re: (Score:2)
Buffer Overflows are not the vast majority (Score:4)
I don't have numbers (probably only large espionage organizations do), but I'm willing to bet that's not true.
Buffer overruns undeniably get a lot of coverage on bugtraq--if you casually read the list, you'll be forgiven for thinking that buffer overruns are the overwhelming bane of computer security. But there are two biases to this observation:
-
Buffer overruns get more talk than vulnerability reports. Go to the vulnerability database at SecurityFocus [securityfocus.com] and browse the recent
reports. On the first
page [securityfocus.com], there are 28 vulnerabilities, of which only three explicitly
mention buffer overruns. Even assuming that this is an unusually low
number, and that a few buffer overruns aren't labeled as overruns, and allowing that buffer overruns tend to be more serious than the
average vulnerability, this is hardly a preponderance.
-
bugtraq report statistics probably over-represent
buffer overruns. This is related to the above discussion--buffer overruns
are popular and well-worn ground. If you report one, everyone will
understand it and you'll win sure ego points. So if you're going to search
for vulnerabilities, you'll probably search for buffer overruns.
In short, even if we stop using languages with unsafe pointers tomorrow, our security woes will continue in full force.I frankly think the reason the discussion on bugtraq seems dominated by buffer overruns is that the community enjoys, and is comfortable, discussing buffer overruns. Even though the same religious issues (bounded arrays, language choice, non-executable stack, stack-guarding libraries) are rehashed over and over, people never get tired of them. Buffer overruns have a cherished place in security folklore. This is kinda nice in that it gives the community a common ground, but dangerous because it leads people to overlook the importance of other program flaws that can result vulnerabilities.
Further, buffer overruns are plain easy to find. If you have source code, a few greps often take you right to the hole. Even if you don't, tools like fuzz [sourceforge.net] do pretty well (many bugtraq reports indicate that tools like this were used to find the overrun). Plus, contrary to what you might think, buffer overrun exploits are ususally easy to write, so don't think that turns of any would-be security gurus. Other classes of vulnerability usually require more analysis of program logic to find.
So.... (Score:4)
That would be a White Hat job.
Re:Stop, wait, don't flame. (Score:2)
Re:Stop, wait, don't flame. (Score:2)
Stop, wait, don't flame. (Score:5)
Yes, this seems to be a really nasty hole, but it doesn't appear as if it's been exploited (yet, of course). Microsoft did release a patch and didn't try to play down its importance (so it seems to me). Those of us in the *nix community have had our share of root exploits in various daemons, so they crop up in even our most favorite software.
There is no reason to be blindly insulting MS or promoting the secureness of Open Source programs. Large, complex programs are subject to buffer overruns.
If you have a Win 2000 server or know someone that does, just get the patch. Simple as that.
Only chicks can exploit this... (Score:2)
So, as you can see, only a FEMALE hacker can exploit this vulnerability. And since the current
Windows is dead!
Re:Read Closer. (Score:2)
In this context, here is this bit of classic humor, as they say, "found on the Net"
WHAT IF PEOPLE BOUGHT CARS LIKE THEY BOUGHT COMPUTERS?
General Motors doesn't have a "help line" for people who don't know how to drive, because people don't buy cars like they buy computers -- but imagine if they did . . .
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "I got in my car and closed the door, and nothing happened!"
HELPLINE: "Did you put the key in the ignition slot and turn it?"
CUSTOMER: "What's an ignition?"
HELPLINE: "It's a starter motor that draws current from your battery and turns over the engine."
CUSTOMER: "Ignition? Motor? Battery? Engine? How come I have to know all of these technical terms just to use my car?"
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "My car ran fine for a week, and now it won't go anywhere!"
HELPLINE: "Is the gas tank empty?"
CUSTOMER: "Huh? How do I know?"
HELPLINE: "There's a little gauge on the front panel, with a needle, and markings from 'E' to 'F.' Where is the needle pointing?"
CUSTOMER: "It's pointing to 'E.' What does that mean?"
HELPLINE: "It means that you have to visit a gasoline vendor, and purchase some more gasoline. You can install it yourself, or pay the vendor to install it for you."
CUSTOMER: "What!? I paid $12,000 for this car! Now you tell me that I have to keep buying more components? I want a car that comes with everything built in!"
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Hi! I just bought my first car, and I chose your car because it has automatic transmission, cruise control, power steering, power brakes, and power door locks."
HELPLINE: "Thanks for buying our car. How can I help you?"
CUSTOMER: "How do I work it?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "Do I know how to what?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "I'm not a technical person! I just want to go places in my car!"
Check out the Vinny the Vampire [eplugz.com] comic strip
Why we blame M$ (Score:3)
You only come down really hard on the kid that is always in trouble...
/.ers only have a karma of 49...
REAL
Re:The Media (Score:2)
No holes like this exist in Linux
I'm presuming that this is just a troll, but in case you're serious there are a number of holes just like this for Linux, and there remain thousands or millions of Linux servers that haven't properly been patched up (just as there are NT 4 servers with holes 2 years old out in the wild).
Re:Why use IIS? (Score:2)
My question is, why not run apache on Windows NT/2000?
This is a circular question: Why not run IIS rather than Apache? What you really are likely to get in response are zealotry replies about how IIS suxxors and Apache rules. In reality IIS 5.0 is a very high performance, high reliability system that excellently integrates with the security subsystem of NT/2000. But preferences vary and others will likely think differently for reasons that make sense for their needs.
And of course... (Score:2)
Re:bottom line (Score:2)
I don't know if anyone remembers, but eEye pulled this same shit about a year and a half ago. They found some vulernability, and used it just to promote their (then shitty, havn't checked it lately) security scanner.
I think they spend more time trying to find exploits than they do working on their product. They really are in it just for the publicity.
-
Re:The servers don't always come back (Score:2)
Woops.... Hope they get it running again soon. "He" never would have done it had "he" known this was going to happen. But regardless, this exploit can most definately deny service to users. (Just check out www.ncix.com - they're down as I write this. I bet "my friend" will think twice before testing any other servers.)
Willy
Microsoft Announces New "RemoteRoot" Feature (Score:5)
Let Microsoft take you away from all that. With our new RemoteRoot feature for IIS on Windows2000, users can log in as root from remote sites without all the muckety muck.
Forgot your password? No problem. RemoteRoot makes getting in easy.
Microsoft has partnered with the company responsible for Zero Click [ridiculopathy.com] technology to bring you this wonderful new feature. You can read more about it on their web site. [ridiculopathy.com]
What's the problem? (Score:5)
Read Closer. (Score:5)
So in effect, if the admin who setup the webserver is in ANY way competent, he should have already been over the checklist and applied the template, both of which discuss removing this extension. If he's lazy and only used the SecTool, that would still do the job.
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Re:Read Closer. (Score:5)
Better go tell Dell, Microsoft, eBay, NASDAQ, Intel, etc. that they don't have a clue.
Setting up IIS securely takes work, just as doing so on a Linux box does. The problem is that many so-called "WinNT/2K Admins" are clueless. They click Install, and see that they can get to their web page. They then assume everything is OK.
A "real" admin would get on the various security lists [microsoft.com], go through the MS checklists [microsoft.com], apply the high-security template [microsoft.com], and download the scripts that Microsoft used to help secure their own W2K webservers. The admin would also stop by the MS security site [microsoft.com] at LEAST once per month, if not more. They even have a security Tool [microsoft.com] that can baby-step you through the configuration if the registry scares you.
Don't blame Ford when you had your keys to a 3 yr old and they wreck the car....
Of course in this particular case, Microsoft should have performed better testing, but still...
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Re:The problem is IIS running as system (Score:2)
Trolls throughout history:
New? (Score:2)
Give them props for doing what we always slam them for not doing-- responding quickly to a large exploit.
Though it does nothing for all the other exploits for win NT/2k out there.....
Re:Seriously? (Score:3)
Let me see--
- OS-level web server
- NT codebase
- Microsoft
hmmmmm..... Perfectly expected. The first item is a major reason why I am avoiding Tux until either I can further test it or it has more real-world testing.... Although Tux runs on Linux, I have serious problems running server software which runs with that kind of machine access. I will stick with Apache running as Nobody....Re:Why use IIS? (Score:3)
Hmmm.....
- Apache (at least 1.x) is a resource hog in Windows computers because of posix emulation among other things (and no shared memory).
- IIS is much faster on Windows than Apache (at least 1.x)
- Apache performs better on UNIX/Linux than on Windows
I can't see running this environment currently...Re:Um, well, kernel 2.4.3 has integrated WWW suppo (Score:3)
Alan Cox wasn't sleeping, here [indiana.edu] is his 2c worth, about 2 weeks after the announcement. It's just a special in-kernel cache after all, not like running IE5 or IIS5 wholly in the kernel like some other OS's.
The home page is http://www.fenrus.demon.nl [demon.nl]. kHTTPd only serves up static content, all non-static stuff is passed to a userland webserver, like Apache or Zues.
"Why didn't I join Microsoft? [LAUGHTER]"
Re:interesting (Score:4)
You sir are an idiot. Please click the links at your leisure.
Security Flaw with Linux 2.4 Kernel and IPTables [slashdot.org]
New Linux Worm [slashdot.org]
Linux 2.1.* Security Hole [slashdot.org]
*BSD procfs vulnerability [slashdot.org] Hey a BSD one!!
Linux 2.2 DoS Attack [slashdot.org]
IP Frag Exploit in Linux Kernel [slashdot.org]
New Linux Security Holes [slashdot.org]
Cracking All The Live Long Day & RH6/7 [slashdot.org]
"Why didn't I join Microsoft? [LAUGHTER]"
Re:The Media (Score:3)
There's been virtually billions of 'remote root' level holes in Sendmail alone, nevermind the various other daemons that ship with one or more standard Linux (and/or other UNIX based system) distributions..While these are reported on the geek/security sites like buqtraq, they rarely make it to the mainstream.
Anyway, this is bound to turn into a long useless series of Microsoft-sucks, Linux-sucks posts...But the reality is every OS, open source or closed, has major bugs found in it from time to time...glass houses..stones...etc. Try not to feed the trolls.
Re:Why use IIS? (Score:5)
IIS is also far easier to install and maintain, it uses Microsoft's standard MMC console admin interface..Of course, there's two sides to the ease-of-admin issue (many will argue it invites security risk due to low-clue admins being able to do the job, half-assedly).
Probably the most important feature, though, is Active Server Pages functionality. The ability to write parsed HTML code in any of the languages supported by Microsoft's Active Scripting (JScript, VBScript, Perl, Python, etc), with the added bonus of access to pre-built COM objects.
It is quite nice. Personally, I prefer PHP for most web-app development..but the wide variety of language choice and the COM integration are pretty cool if you don't mind locking your box to Microsoft technology.
Not only Microsoft... (Score:3)
Look at RedHat 7.0, for example. Don't bash MS because they have bugs -- to do that would be hypocritical.
Impossible!! (Score:3)
Re:The Media (Score:3)
Of course, the mad rush to upgrade to 2.2.16 was purely cosmetic, and had nothing to do with a root exploit affecting all the previous kernels of the 2.2 series.
And BIND has never had a serious exploit in it. Oh no.
[Note for the sarcasm impaired: That was sarcasm]
Re: Buffer Overflows... It's the language! (Score:2)
That covers the most common programming errors in C/C++. In C/C++, the programmer manipulates raw addresses and allocates and deallocates memory manually. In the other languages, the programmer doesn't have access to raw addresses or manipulate memory directly, so the programmer can't cause crashes and neither can an opponent.
This is all obvious... but no one seems to learn it.
Most of these language have very efficient implementations for them... meaning that they have compilers that can produce code that performs in the neighborhood of C code (or sometimes better). And these languages from the Lisp or functional families are much more productive than C/C++.
The most effective (and it works!) tool... (Score:2)
COMPETENT PROGRAMMING!
Think of it. If I'm going to read in data, I will never ever ever blindly pass in a fixed-length array. In many many cases you can peek ahead to see how much data is waiting to be collected, or specify the length of your array so that the called function will not overflow your buffer. If you can't (then the called function was not written properly, but...) do something silly like allocate a buffer in the heap, and then copy the needed data into an internal buffer afterwards. If the "temp space" buffer is out-of-range-of-executable-code and big enough (reasonably, we can assume that we're not going to receive a 26MB buffer overflow) then even with a function that you can't specify the length of your array, an overflow will not be a problem. It's common sense people, especially with all of the press coverage that buffer overflow attacks have gotten. It's not brain science, just another example of incompetent programming.
Re:So why? (Score:3)