Re: Microsoft Security Bulletin MS03-007 - 815021

From: Dane (Dane352@hotmail.com)
Date: 03/17/03 

From: "Dane" <Dane352@hotmail.com>
Date: Mon, 17 Mar 2003 15:04:24 -0600

"Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
news:u1vpELL7CHA.2272@TK2MSFTNGP12.phx.gbl...
> Title: Unchecked buffer in Windows component could cause web server
> compromise
> Date: March 17, 2003
> Software: Microsoft Windows 2000 All Versions
> Impact: Run code of attacker's choice
> Maximum Severity Rating: CRITICAL
> Bulletin: MS03-007

Probably the greatest advice ever given
http://www3.gartner.com/DisplayDocument?doc_cd=101034
"Gartner recommends that enterprises hit by both Code Red and Nimda
immediately investigate alternatives to IIS, including moving Web
applications to Web server software from other vendors, such as iPlanet and
Apache. Although these Web servers have required some security patches, they
have much better security records than IIS and are not under active attack
by the vast number of virus and worm writers. Gartner remains concerned that
viruses and worms will continue to attack IIS until Microsoft has released a
completely rewritten, thoroughly and publicly tested, new release of IIS.
Sufficient operational testing should follow to ensure that the initial wave
of security vulnerabilities every software product experiences has been
uncovered and fixed. This move should include any Microsoft .NET Web
services, which requires the use of IIS. Gartner believes that this
rewriting will not occur before year-end 2002 (0.8 probability).
Analytical Source: John Pescatore, Information Security Strategies"

Relevant Pages

  • Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
    ... SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS. ... 2001 we reported the following problem (with specifics to IIS and SITESERVER) to the Microsoft Security Response Center. ... These vulnerabilities, especially when combined with well-known cross-site scripting vulnerabilities, could cause loss of confidentiality, failure of non-repudiation and fraud. ... The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values with each subsequent request to the web server. ...
    (Vuln-Dev)
  • Re: << Small Biz Server news the week of May 2, 2004>>
    ... I would like to personally ask all IIS administrators to ... >take the time to test and install MS04-011. ... The security package Microsoft Unified Security Protocol ...
    (microsoft.public.windows.server.sbs)
  • Re: Asp.Net.Vulnerability: Full Trust (current security problems and possible solutions)
    ... I do agree that when a security consultant finds potential security ... responsibly and provide details of the vulnerabilities discovered to ... what happened on the last 6 months between us and Microsoft: ... Microsoft's solution for the IIS 5.0 FPE2002 vulnerability we ...
    (microsoft.public.security)
  • Re: Asp.Net.Vulnerability: Full Trust (current security problems and possible solutions)
    ... I do agree that when a security consultant finds potential security ... responsibly and provide details of the vulnerabilities discovered to ... what happened on the last 6 months between us and Microsoft: ... Microsoft's solution for the IIS 5.0 FPE2002 vulnerability we ...
    (microsoft.public.inetserver.iis.security)
  • Re: Asp.Net.Vulnerability: Full Trust (current security problems and possible solutions)
    ... I do agree that when a security consultant finds potential security ... responsibly and provide details of the vulnerabilities discovered to ... what happened on the last 6 months between us and Microsoft: ... Microsoft's solution for the IIS 5.0 FPE2002 vulnerability we ...
    (microsoft.public.dotnet.framework.aspnet.security)