All the latest UK technology news, reviews and analysis
|
|
|
05 Sep 2009
Microsoft has revealed that hackers are already exploiting newly disclosed vulnerabilities in its Internet Information Services (IIS) web server software.
Exploit code for the first flaw was posted on Monday, allowing hackers to remotely take control of an IIS 5.0 server. New code was then posted on Thursday which takes advantage of vulnerabilities in IIS 5.0, IIS 5.1, IIS 6.0 and IIS 7.0 to allow hackers to launch denial-of-service attacks against these systems, as long as they are running the FTP Service, said Microsoft.
The company was forced to update its security advisory warning that it is now seeing "limited attacks that use this exploit code".
"Microsoft is actively monitoring this situation to keep customers informed and to provide guidance as necessary," the advisory continued.
Microsoft is due to release its September security updates on Tuesday next week, but it is widely believed that the new vulnerabilities were disclosed too recently for the Microsoft security team to deliver a working fix.
Microsoft blamed the current, albeit limited, attacks on the fact that the original vulnerabilities were published on the internet before the firm had a chance to work on a resolution.
"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," said the firm in a blog post.
"This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Sneak peek at the forthcoming glass-based machine
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Job Specification For: Software Developer...
A global Investment Bank requires a Project Manager to...
Web Developer, .Net Software Developer - ASP.Net, C...
Verint Voice Recording Support Engineer (Verint / Nice...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Why doesn't Redmond Pen Test there software
Really doesn't make sense to me that MS doesn't pen test there software. Why are software updates these days more focused on patching security holes rather than providing increased functionality? It seeks to me that MS is completing a QC process during it's patch tuesday cycle rather than before the softwaree is released. The keys to quality software: develops w/ security in mind, open the s/w up in the community to allow review and developement for security issues, and pen test your software. Opening up your software has business consequences but you get better and secure code. If a hacker finds a hole in sotfware that everyone else is looking at, chances are that everyone else saw it to. It's just a matter getting the 800 lbs gorilla in the room outside. Same goes for pen testing...if the developer spends some time pen testing, how much better would he be at finding exploits in the software he created than the hacker that has only intuition to go on?
Posted by: Annoyed with Updates 07 Sep 2009
Hum...
Hackers (not crackers) should be contacting first Microsoft, THEN everybody else, so they can have time to build a fix. So... what explains flaws in Linux (with exploit code samples) are made publicly available, and then are patched hours later?
Posted by: fulanoDeTal 06 Sep 2009