Microsoft has yet to fix the flaws in Internet Information Services
Hackers already exploiting IIS flaws
/v3-uk/news/1966537/hackers-exploiting-iis-flaws
05 Sep 2009, Phil Muncaster , V3
Microsoft has revealed that hackers are already exploiting newly disclosed vulnerabilities in its Internet Information Services (IIS) web server software.
Exploit code for the first flaw was posted on Monday, allowing hackers to remotely take control of an IIS 5.0 server. New code was then posted on Thursday which takes advantage of vulnerabilities in IIS 5.0, IIS 5.1, IIS 6.0 and IIS 7.0 to allow hackers to launch denial-of-service attacks against these systems, as long as they are running the FTP Service, said Microsoft.
The company was forced to update its security advisory warning that it is now seeing "limited attacks that use this exploit code".
"Microsoft is actively monitoring this situation to keep customers informed and to provide guidance as necessary," the advisory continued.
Microsoft is due to release its September security updates on Tuesday next week, but it is widely believed that the new vulnerabilities were disclosed too recently for the Microsoft security team to deliver a working fix.
Microsoft blamed the current, albeit limited, attacks on the fact that the original vulnerabilities were published on the internet before the firm had a chance to work on a resolution.
"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," said the firm in a blog post.
"This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Hum...
Hackers (not crackers) should be contacting first Microsoft, THEN everybody else, so they can have time to build a fix.
So... what explains flaws in Linux (with exploit code samples) are made publicly available, and then are patched hours later?
Posted by fulanoDeTal, 06 Sep 2009
Why doesn't Redmond Pen Test there software
Really doesn't make sense to me that MS doesn't pen test there software. Why are software updates these days more focused on patching security holes rather than providing increased functionality? It seeks to me that MS is completing a QC process during it's patch tuesday cycle rather than before the softwaree is released. The keys to quality software: develops w/ security in mind, open the s/w up in the community to allow review and developement for security issues, and pen test your software. Opening up your software has business consequences but you get better and secure code. If a hacker finds a hole in sotfware that everyone else is looking at, chances are that everyone else saw it to. It's just a matter getting the 800 lbs gorilla in the room outside. Same goes for pen testing...if the developer spends some time pen testing, how much better would he be at finding exploits in the software he created than the hacker that has only intuition to go on?
Posted by Annoyed with Updates, 07 Sep 2009