-----Original Message----- From: Steven <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wednesday, June 23, 1999 6:55 AM Subject: [BiNus] Security flaw (AGAIN) in Microsoft IIS Well, this is another reason why I don't trust M$... and I'm glad that I don't! Saya yakin banyak web server di Indonesia (termasuk Binus) juga yang berbasiskan Microsoft IIS. So, gimana tuh udah apply patch-nya belum? Microsoft Prompted to Post Patch for Security Breach Last week, eEye Digital Security Team, a small Calif.-based Internet security firm, reported that the latest release of Microsoft Internet Information Server (IIS) contained a serious security breach that would allow hackers to take over the server and, in extreme cases, the network to which it is attached. Microsoft Internet Information Server is the most commonly used Windows NT server on the Web, operating 20 percent to 25 percent of the world's sites. eEye [http://www.eeye.com] reported that the breach "allows arbitrary code to be run on any Web server running the latest release of Microsoft Internet Information Server. Utilizing a buffer overflow bug in the Web server software, an attacker can remotely execute code to enable system level access to all data residing on the server." By the end of the week, Microsoft published information about the security breach and made a patch to correct the flaw. The patch can be obtained via its security Web site [http://www.microsoft.com/security]. Microsoft's release of the patch came only days after eEye announced it had discovered the breach. eEye also made available two working demonstration programs that could be used to exploit the security breach. Microsoft blasted eEye's decision and questioned the company's motives in simultaneously announcing the security breach and publishing programs that could be used to exploit the breach. "Responsible companies do not publicize the security holes before a patch is available and do not publish hacking software," Scott Culp, a security product manager for Microsoft, told Wired News. In response to Microsoft's jabs, eEye posted a retort on their Web site. It stated: "We are a full disclosure security team, and we were not working under any non- disclosure agreements with anyone. Our responsibility to our clients and the whole network community is to disclose as many details as possible� If our team starts hiding the facts, we'll be no better than a software vendor that rushes insecure products to market." eEye said that it had notified Microsoft on June 8 about the security breach, but the software giant had not taken steps to correct the problem. In addition, Microsoft had stopped responding to their e-mails about the breach. The company felt publishing the problem and software to exploit it would force Microsoft to address this security issue. ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss To unsubscribe, send mail to [EMAIL PROTECTED] Visit Milis [BiNus] HomePage at http://www.batavia-online.com/binus/ http://www.securitysearch.net/cgi-bin/search/vote.cgi?ID=928555811 ------------------------------------------------------------------- untuk berhenti kirim email ke [EMAIL PROTECTED] untuk melihat peraturan kirim email ke [EMAIL PROTECTED] arsip berada di http://www.mail-archive.com/[email protected]
