Brian Steele <[EMAIL PROTECTED]> wrote: >Typical anti-MS FUD. I'll pay it the due attention it deserves ;-). And how is pro-MS FUD any better than anti-MS FUD? Those of us whose jobs and business rely on information security have to meet a standard of due diligence that generally prevents us from recommending MS proxy servers, MS mail gateways or IIS servers anywhere _near_ sensitive information. When we don't it can come back to haunt us. How would you, for example, tell your customers that 90% of their IIS servers can be cracked by anyone who cares to browse www.rootshell.com? (see CERT Advisory below) I've interviewed many older managers over the years, you know the type, they once bought IBM because 'you'd never be fired" for it and have been doing the same with MS. As often happens they've been downsized and are out interviewing. Trouble is they don't know their technology. After the interview is done I typically thank them, show them the door, and cross their name off the list of candidates. The moral? Don't put all your eggs in any one basket, especially when that basket is woven from millions of lines of hastily written and poorly debugged code... -- Roger Marquis Roble Systems Consulting http://www.roble.com/ > CERT Advisory CA-99-07 IIS Buffer Overflow > > Originally released: June 16, 1999 > Source: CERT/CC > > Systems Affected > > * Machines running Microsoft Internet Information Server 4.0. > > I. Description > > A buffer overflow vulnerability affecting Microsoft Internet > Information Server 4.0 has been discovered in the ISM.DLL library. > According to Microsoft, ISM.DLL is the "filter DLL that processes .HTR > files. HTR files enable remote administration of user passwords." > > A tool to exploit this vulnerability has been publicly released. > > II. Impact > > This vulnerability allows remote intruders to execute arbitrary code > with the privileges of the IIS server. Additionally, intruders can use > this vulnerability to crash vulnerable IIS processes. > > III. Solution > > Microsoft has released Microsoft Security Bulletin MS99-019 describing > a workaround to this problem. Additionally, Microsoft is working on a > patch to fix this problem; information regarding this patch will be > available in the Microsoft Security Bulletin. We encourage you to read > this bulletin, available from > > http://www.microsoft.com/security/bulletins/ms99-019.asp > > We will update this advisory as more information becomes available. > Please check the CERT/CC web site for the most current revision. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-99-07-IIS-Buffer-Overflow.html. > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: [EMAIL PROTECTED] > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from http://www.cert.org/CERT_PGP.key. > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site http://www.cert.org/. > > To be added to our mailing list for advisories and bulletins, send > email to [EMAIL PROTECTED] and include SUBSCRIBE > your-email-address in the subject of your message. > > Copyright 1999 Carnegie Mellon University. > Conditions for use, disclaimers, and sponsorship information can be > found in http://www.cert.org/legal_stuff.html. > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > Revision History > > June 16, 1999: Initial release - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
