> > > patched until the day _after_ we were hacked. Of course
> > > we didn't discover it for a while...
> >
> > What specific vulnerability was that?
>
> http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
>
> Apache et al are quicker on fixing stuff like that.
>
> > Most IIS vulnerabilities entail services and functionality that can
> > and should be disabled for public web servers.
>
> SSL?
>
> > If configured properly, you can avoid these vulnerabilities even if
> > patches don't exist for them.
>
> Any suggestions on how the above could have been avoided?
I'm a bit confused. Are you saying your server was compromised via this SSL
exploit?
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=%20CAN-2004-0120
To the best of my knowledge, all you can do with this is denial of service.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
