On Wed, 9 Jun 1999, John Wiltshire wrote:
> Date: Wed, 9 Jun 1999 16:43:58 +1000
> From: John Wiltshire <[EMAIL PROTECTED]>
> To: "Firewalls (E-mail)" <[EMAIL PROTECTED]>
> Subject: RE: Why not NT?
>
[snip]
>
> As for Microsoft's track record with dealing with NT security issues, hop
> over to the NTBugtraq archives and I think you'll see that several Microsoft
> people live there monitoring and helping out with the issues - at least as
> much as I've seen from other vendors on their respective lists.
>
> Regards,
>
> John Wiltshire
So, this must not be counting Microsoft's latest SNAFU with the IIS
problem discovered by eEye. Case in point: eEye notified Microsoft on
the 8th of this _very serious_ bug and Microsoft chose not to warn their
customers and at least give a workaround (i.e. disable .htr) so eEye had
to release this information--and did so on the 15th--a week later! Do you
really think this is adequate, especially given the serious nature of the
flaw? eEye even had problems getting responses from Microsoft while
waiting for them to fix it. I think it's time to remove your blinders.
How many freakin' days does it take to provide even a temporary workaround
(which eEye provided themselves) that, for example, limits the URL length
to 255 chars? MS has the source--just add in this check, release the
temporary fix, continue working on the permanent fix--saving hundreds of
thousands of servers from being exploited in the meantime.
Oh, food for thought: If MS is now so security conscious, why does their
*web server* _still_ run as SYSTEM... This is security 101 and I give
them an F. The flaw in IIS would have not been as devastating (run any
code you want _as SYSTEM_ on the remote host...)
-Jason
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
