** Private ** wrote: > The process that owns port 80 on IIS 6.0 machines is the HTTP.SYS > driver (when enabled). This is a kernel-mode driver that only > forwards requests and *cannot* have user-mode application code loaded > into it, as it does no execution. Any exploits into this are useless.
The http.sys driver is essentially the same as the tux in-kernel webserver for Linux that has been around since 2001. Tux doesn't run executable code either. Tux forwards requests that require execution to a full webserver too. Yet despite all that, Tux is not accepted into the Linux kernel because even such a minimal implementation is considered a security risk. > What's the security hole here? Saying "if there's a bug..." is a waste > of time since it applies equally to both IIS and Apache. This is all about bugs. We know there are bugs in every non-trivial application. The question is what happens when one of those bugs gets exploited. The worst case scenario for any exploit is that it gains full control at the same level as the exploited application. That is why it is important that applications start with the least privileges. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Community/message.cfm/messageid:227399 Subscription: http://www.houseoffusion.com/groups/CF-Community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5
