Re: Microsoft Security Bulletin MS03-007 - 815021

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa@pacbell.net)
Date: 03/18/03 

Date: Mon, 17 Mar 2003 17:57:14 -0800
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>

And what about all those lovely vulns in the Apache server?

ANY web server is sitting duck these days no matter what flavor.

Dane wrote:

> "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
> news:u1vpELL7CHA.2272@TK2MSFTNGP12.phx.gbl...
> > Title: Unchecked buffer in Windows component could cause web server
> > compromise
> > Date: March 17, 2003
> > Software: Microsoft Windows 2000 All Versions
> > Impact: Run code of attacker's choice
> > Maximum Severity Rating: CRITICAL
> > Bulletin: MS03-007
>
> Probably the greatest advice ever given
> http://www3.gartner.com/DisplayDocument?doc_cd=101034
> "Gartner recommends that enterprises hit by both Code Red and Nimda
> immediately investigate alternatives to IIS, including moving Web
> applications to Web server software from other vendors, such as iPlanet and
> Apache. Although these Web servers have required some security patches, they
> have much better security records than IIS and are not under active attack
> by the vast number of virus and worm writers. Gartner remains concerned that
> viruses and worms will continue to attack IIS until Microsoft has released a
> completely rewritten, thoroughly and publicly tested, new release of IIS.
> Sufficient operational testing should follow to ensure that the initial wave
> of security vulnerabilities every software product experiences has been
> uncovered and fixed. This move should include any Microsoft .NET Web
> services, which requires the use of IIS. Gartner believes that this
> rewriting will not occur before year-end 2002 (0.8 probability).
> Analytical Source: John Pescatore, Information Security Strategies"

Relevant Pages

  • Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
    ... SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS. ... 2001 we reported the following problem (with specifics to IIS and SITESERVER) to the Microsoft Security Response Center. ... These vulnerabilities, especially when combined with well-known cross-site scripting vulnerabilities, could cause loss of confidentiality, failure of non-repudiation and fraud. ... The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values with each subsequent request to the web server. ...
    (Vuln-Dev)
  • Re: How to secure access to private network files via IIS 6.0?
    ... available for internet users. ... If we open up ports 139 or 445 for the web server in ... If You want to use IIS provide this users with certificates and use ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
    (Security-Basics)
  • Re: Replacement for unsecure telnet/ftp on Windows servers
    ... buffer-overrun flaws, and there are so many of those ... of security flaws then you've just locked yourself out of anything other ... you may want to take a long hard look at IIS 6. ... took a long hard look at the criticism of their previous web server ...
    (microsoft.public.security)
  • Re: Jeez... how do I even start ????
    ... > When I would start IIS from the Administrative tools, ... > situation, with the same resolution as described in the msdn article, so ... A lot of these other posts also mentioned the ASPNET user. ... > the web server was running on this machine. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: preventing username enumeration on NT4
    ... Nimda Worm Shows You Can't Always Patch Fast Enough ... should start to investigate less-vulnerable Web server products. ... Microsoft's Internet Information Server (IIS), ...
    (comp.security.misc)