** Private ** wrote: > From: Jochem van Dieten >> >> How about Code Red and Nimda? > > Code Red targeted the MS Index Server, Nimba tried a few other buffer over > runs to IDC as I recall.
According to MS at least Nimda was in IIS itself: http://www.microsoft.com/technet/security/bulletin/ms00-078.mspx >> IIS needs to be run as a privileged user, Apache doesn't. Due to this >> simple fact, IIS is inherently less secure. If Apache gets compromised, >> you get the Apache account. If IIS gets compromised, you get the >> server. > > Not In windows 2003 with IIS 6. Not really even with IIS 5. While the > service itself runs as Local System So if you get the service, you get the server. Some part of the request needs to be handled by a privileged process because some decisions, like under which account the bulk of the work should be done, can only be made after headers have been interpreted. >> So why not get a support contract for your open source application? > > Usually that ends up costing more. More then what? More then investing in the skills of their own people so they can solve problems themselves? More then accepting the occasional downtime and loss of business revenue? Good for them if they choose the cheapest solution. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Community/message.cfm/messageid:227155 Subscription: http://www.houseoffusion.com/groups/CF-Community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5
