Re: Microsoft IIS Patch Level Security PCI loophole

MarkB wrote on Fri, 22 Feb 2008 02:18:09 -0800 (PST):

Hi,

I run a security scanner for PCI credit card(Visa,MC) shopping cart
compliance periodically on my web site, which, upon a recent site scan
on our domain, returned a failing test. The reason that the test did
not pass was because it maintains that the Microsoft IIS Server is
running at a patch level (SP1 specifically) which is lower than the
current patch level, hence the failed test. On the flip side of the
coin, the test is obviously not foolproof and it maintains in the
commentary field the following info:

[snipped]

Note that this test makes assumptions of the remote patch level based
on static return values (Content-Length) within a IIS Server's 404
error message. As such, the test can not be totally reliable and should
be manually confirmed.


I have opened up a support ticket with my web host (www.hostmysite.com)
but they have assured me over the phone that they have the latest patch
levels on their server (after testing them out)
Where to go. What to do...Very frustrating...Any advice is much
appreciated.
Thank you for your time.

If they've manually confirmed that it is at the latest patch, then you're
fine as per the last line of that paragraph I left from the PCI scan. If
there was a reliable way to determine patch level yourself (ie. remotely)
then the PCI scan would be able to do so.

--
Dan


.