Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins

From: Ken Schaefer (ken_at_ADOPENSTATIC.COM)
Date: 06/04/04

  • Next message: GreyMagic Software: "Phishing for Opera (GM#007-OP)"
    Date:         Fri, 4 Jun 2004 21:25:07 +1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    From: "Russ" <Russ.Cooper@RC.ON.CA>
    Subject: Russ Cooper's AusCERT Presentation on MS Security Bulletins

    :
    : 7. I then compared IIS versions. Given the timeframe
    : of the products, the numbers are very different;
    :
    : IIS 4.0 = 231 vulnerabilities
    : IIS 5.0 = 282 vulnerabilities
    : IIS 6.0 = 60 vulnerabilities
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Russ,

    Can we get the calculations behind your analysis please? (if you have this
    in a convenient form - spreadsheet? database? I don't want to create a lot
    of extra work for you). For example, I'm struggling to think of 60
    vulnerabilities that affect IIS 6.0, but some of your other numbers also
    seem a little out of kilter with what I would have guessed (though this may
    be my faulty memory more than anything)

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    : and since there people pay for bandwidth above an ~50MB cap,
    : I did point out however that XPSP2 was 276MB and its
    : adoption is required for us to reap its benefits.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    For about A$50/month you can get ~6 GB of downloads in Australia these days.
    I pay $70/month with one of the more established players (read: more
    expensive, but not as likely to go down the drain) and get ~40 GB/month.

    Microsoft in Australia will be saturating the market with CDs of XP SP2,
    well aware that it needs to get SP2 out there into the marketplace. I have
    been told by the MS Windows group here in Australia not 3 days ago that for
    a typical home user, the download will be approximately 100MB (about 40% of
    your suggested size). Which still sucks if you're on dial-up though...

    Cheers
    Ken

    Microsoft MVP - Windows Server (IIS)

    -----
    Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
    identify and fix all PC's that are exposed to the Sasser worm! Our
    solution provides quick and seamless discovery and deployment of all your
    PC computer's Microsoft security patching needs. Regardless of where
    you're PC's reside (inside the LAN, at home or on the road), Patch
    Automation gets the job done. Contact us to learn about our free 30-day
    trial version at 800-344-1150 or visit our website at
    <http://www.patchautomation.com>
    -----


  • Next message: GreyMagic Software: "Phishing for Opera (GM#007-OP)"

    Relevant Pages

    • IIS Authentication Dialog prompt limit?
      ... We've got an automated authentication process trying to hit an IIS secured ... IIS machine is hanging. ... prompt for the security credentials, yet because of the automation factor, ...
      (microsoft.public.inetserver.iis.security)
    • Re: RPC over HTTP
      ... I'm not Russ but I might be able to help you. ... You don't configure anything on IIS. ... Running the CEICW will do all you need ... how to configure RPC for Windows Authentication in IIS. ...
      (microsoft.public.windows.server.sbs)
    • Re: REMOTE_USER Server Variable
      ... "Russ G." wrote in message ... > For the web I'm developing, I go to into IIS setup and I go the Directory ... > Anonymous access, enable Basic authentication, and enable Integrated ...
      (microsoft.public.inetserver.iis)