×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Remote 'Root' Exploit in IIS 5.0

jamie posted more than 12 years ago | from the they-made-me-write-this dept.

Microsoft 184

eEye Digital Security was doing some testing that apparently Microsoft hadn't done on its own webserver (IIS 5.0) running on its latest OS (Windows 2000, all versions). "Within a matter of minutes," they say, "a debugger kicked in on inetinfo.exe because of a 'buffer overflow error'" -- and two weeks later, we got simultaneous announcements from Microsoft and eEye. This is a remote SYSTEM-level exploit in a popular webserver, in the wild, i.e., Danger Will Robinson. eEye says about a million servers will need to be patched; it may be more. Go see Microsoft's writeup and patch. See also eEye's droll and informative writeup, which, now that an exploit is confirmed to be in the wild today, has added some source code.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

184 comments

Re:Apache can run as 'nobody' Why does IIS need ro (1)

Anonymous Coward | more than 12 years ago | (#249526)

I can excuse holes in IE letting attackers mess up win98 because it's in single user mode all the time, but NT? There's A CHOICE to run programs as 'root' or as a user. For NT and IIS there is no acceptable explanation other than Microsoft saying "We fucked up bigtime."

Of course (1)

Anonymous Coward | more than 12 years ago | (#249527)

Dude, if iis 5 didn't have a few remote exploits, so many script kiddies would be out of a hobby. Thank god the proud tradition of most easily defaced webserver continues at microsoft!

Re:Bad news about MS, let the games begin (1)

Anonymous Coward | more than 12 years ago | (#249528)

Don't be a jerk. Hell I heard the story on NPR this morning and was amazed to see how long /. took to post it.

Re:Um, well, kernel 2.4.3 has integrated WWW suppo (1)

Anonymous Coward | more than 12 years ago | (#249529)

IIS does some sort of file locking or caching in kernel (probably similar to what khttp does), and that's all. IE runs entirely user mode on NT.

Thanks for FUDing, please drive thru.

Re:bottom line (1)

Anonymous Coward | more than 12 years ago | (#249530)

"... as opposed to other OS's which you'd have to configure a service to run."

Have to configure a service? I beg to differ. My boxes get portscanned a couple dozen times a day. About a third of those scans appear to be coming from Redhat default server installs that were compromised by scripts running on some other Redhat default server install that was compromised by scripts running on some other Redhat default server install that was ...

I hold Redhat responsible for all these portscans to the same extent that I hold Microsoft responsible for the hundreds of Outlook viruses that have appeared in my inbox. Fortunately, neither affects me much, but I know they affect others.

eEye? (2)

Anonymous Coward | more than 12 years ago | (#249531)

eEye. eEye? Oh...

LOL (2)

Anonymous Coward | more than 12 years ago | (#249532)

Yes! WE chinese hackers have modified hundreds of USA web servers' Index.html etc...! Most of them are Windows NT 4 or 2000 LOL Microsoft makes the difference!!!!

Re:The Media (2)

Anonymous Coward | more than 12 years ago | (#249533)

2.2.16 was a local exploit only, bad, but nothing like a remote root exploit.

BIND is not enabled by default on most distros.

This is news because it is the worst kind of security hole possible, and its exploitable on a default version of win2000.

An exercise for the reader: modify the exploit given to install a DDoS client, and then write a PERL script that trys the exploit against sequential IP addresses.

The kiddies are falling over each other doing exactly that. The exploit has been out for a few days or so, and I've ALREADY got firewall logs of someone scanning my entire class C for it! This will no doubt end up being even bigger than the rpc.statd in redhat 6.2 exploit in terms of mass exploitation for DDoS purposes.

Apache can run as 'nobody' Why does IIS need root? (3)

Anonymous Coward | more than 12 years ago | (#249535)

Seriously, why does IIS need full Administrator privs? This is a security risk that all IIS users saw from day one and chose to ignore.

Will the 'fix' from Microsoft involve IIS running with user level privs? I betcha it won't.

Re:One of the better quotes (3)

Anonymous Coward | more than 12 years ago | (#249536)

Actually the restart feature applies to all W2K services. You specify what to do on the first and second explicitly, and then on subsequent. The options are to restart service, reboot computer, take no action, or run an external program (such as a pager alert program). By default it is set at take no action, meaning the service dies and stays dead until manually restarted.

Bad news about MS, let the games begin (4)

Anonymous Coward | more than 12 years ago | (#249537)

Do the /. editors knock each other down on the way to post bad news about Microsoft? Seriously, do you guys have your own 'Frist (Anti-MS) Post thing going between you? Relevant stories get rejected all the time, but you guys must hit 'refresh' ad nauseum until something appears in the inbox with bad news about Microsoft. After that, all bets are off, whoever can hack together a clever title, story, and work in a few extra jabs at Gates & Co., and YOU ARE THE FRIST POST MASTAH! Why not revamp the stories to reflect your true inter-editor competition? Something like:

CmdrSprk writes: Another MS Bug FA-MSP Editor Biachezzzz!!!!! I 0wn3z j00! Sporks rule!

No need to worry! (5)

Anonymous Coward | more than 12 years ago | (#249538)

From Microsoft:

This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.

Only females can exploit this hole!*

*Not to be taken out of context

Actually, 1 million is probably accurate... (3)

Wakko Warner (324) | more than 12 years ago | (#249540)

Most places still run IIS 4 on NT 4.0, either because of proven stability, laziness, compatibility issues, or sheer inertia (which I guess could also be laziness.) Still a hell of a lot of servers, though.

- A.P.

--
Forget Napster. Why not really break the law?

Re:The Media (2)

pohl (872) | more than 12 years ago | (#249542)

Remote exploits are gaping holes. Using non-root authority to leverage root authority (which was the bug fixed in 2.2.16) is merely a hole, not a gaping one. These are two entirely different classes of security problems. Remote exploits are cause for sounding the alarms. Besides, nobody has said that linux (or a linux application) has never had such a bug. You're setting up straw man arguments to lure careless moderators into throwing "Insightful" points at your insightless post.

The problem is IIS running as system (2)

Lord of Caustic Soda (3117) | more than 12 years ago | (#249547)

The whole problem would no nowhere as bad if IIS isn't running as system. This is definitely a fault of Microsoft because it wanted things to be nice and easy integrating the NT security with IIS. I can't remember any Linux/BSD distribution installing Apache as root. On NT/Win2000 every service and its dogs run as system, and any of them having a buffer overflow bug would leave the entire system open to sack and pillage.

It needs to be said that there are equivalent stuff on Linux: Most distributions have a BIND package that runs as root, WU-FTPD as well...

Re:Um, this is old news... (5)

jamiemccarthy (4847) | more than 12 years ago | (#249550)

"Debian sendfile root exploit (updated package available)"

That's a local (not remote) root exploit in a not-commonly-installed tool.

"Bugzilla shell exploit (updated info available)"

That's a remote unprivileged-user (not root) exploit in a not-commonly-installed application.

"Iplanet calendar server exposes netscape admin password"

That's a local (not remote) non-root exploit in a not-commonly-installed application.

"DoS against Novell Border Manager"

That's, um, a DoS against Novell Border Manager.

"But it's not news unless it's Microsoft, eh, folks?"

I know it's fun and easy to bash Slashdot for being anti-Microsoft, especially when we report security news, but we don't ignore open-source problems [slashdot.org] and we only report vulnerabilities which are of pressing and widespread concern.

Jamie McCarthy

The sad thing (1)

jjr (6873) | more than 12 years ago | (#249551)

About This is the not everyone is going to patch thier server some and then cry like a fool when the get hacked. Despite the fact they are many people out there take thier security seriously alot more do not. (I had this happen to a friend where the hosting company did not apply a patch that 6 months old. Well have fun patching and rebooting :)

I think you're being unfair (3)

astrashe (7452) | more than 12 years ago | (#249552)

This exploit is more serious than the others you've listed. It's a remote root exploit, and it affects people who take the out of the box installation.

A comparable Unix exploit would have been the recent BIND fiasco. And that got good coverage on /.

I get tired of MS bashing too. But I think there's a lot less of it here than there used to be. The article about Easel and Ximian took a lot of heat, but I think it was a healthy thing to post. We're still a long way away from looking at the ethics of some of the Linux IPOs, but it's a start.

This is a big security problem, and it was made worse by some questionable design decisions (automatic restarts, etc.). But the effect isn't really any worse than the recent BIND exploits.

And you could argue, as perhaps the OpenBSD guys might, that by not advising people to run BIND in a chroot jail, the ISC guys are being less responsible than MS, which has published security guidelines that protected the users who followed them from this particular exploit.

But what good does that do? The reality is that both Linux and Windows have their share of security problems. MS has a long list of bad decisions from a security point of view, but we have things like linuxconf. Sacrificing security for convenience isn't just a MS thing. And there are plenty of buffer overflows to go around.

We need to encourage everyone to think about security more seriously. We need to get companies to think about security from the beginning, instead of trying to bolt it on in the end. And we need to make sure that they respond quickly when problems do arise.

This just isn't a Linux vs. MS situation.

Re:Why use IIS? (1)

PlazMatiC (11127) | more than 12 years ago | (#249556)

why not just fricken run apache on unix?

....

Just pretend to be professional for a second and use unix...


Personally, I prefer linux to any other operating system I have tried. But in my experience, it's quite hard to convince a business running more established platforms to change to an 'alternative' operating system. I've managed to convince the school I work at to replace one of the Netware servers with a linux machine running samba, but it wasn't easy.

The reason I asked the question in the first place was that I don't know the dis/advantages of using IIS or apache under win32.

Why use IIS? (2)

PlazMatiC (11127) | more than 12 years ago | (#249557)

I've never really used IIS .. I've never really felt the need, so I don't know what its good points are.
My question is, why not run apache on Windows NT/2000? Does IIS have any major advantages over apache and the wide range of addons which are available for it?

Re:Actually, 1 million is probably accurate... (1)

superdoo (13097) | more than 12 years ago | (#249559)

Most places still run IIS 4 on NT 4.0, either because of proven stability, laziness, compatibility issues, or sheer inertia (which I guess could also be laziness.) Still a hell of a lot of servers, though.

This is certainly the case where I work. See, with load-balancing, and extreme over-provisioning (or maybe recognition that MS solutions consume hardware at a rate aproaching 8-sideways), we have probably nearly 100 NT servers now. With the recent economic downturn, it is pretty much a given that we will be sticking with the status-quo for probably the remainder of the year. That means running servers with NT 4.0 SP 6a (since apparently SP7 is only available in orbit), with the associated software (IIS 4, etc).

Ah well, it makes life interesting at least. 8^)

Re:Stop, wait, don't flame. (1)

An Ominous Coward (13324) | more than 12 years ago | (#249560)

Change that to "Large, complex programs written in languages like C are subject to buffer overruns", and I'll both agree and point out why I don't like crufty old languages.

Re:Why use IIS? (1)

SerpentMage (13390) | more than 12 years ago | (#249561)

I do not agree with that all. I was CTO of a company (resigned today) and we used W2K servers with Apache 1.3.19. Apache ran like a charm and was STABLE AS HELL. Where IIS may need a reboot or restart Apache just kept on running.

I made the decision to Apache because the W2K environment has better development tools.

But there is one thing to remember W2K is REALLY GOOD, just do not run any MS software on top of it. Then things become very unstable very quickly.

Re:Read Closer. (1)

Cassandra (14615) | more than 12 years ago | (#249564)

Don't blame Ford when you had your keys to a 3 yr old and they wreck the car....

If the car looked like a toy and was easy to use for the three year old, and on top of this, was of a major brand (i.e. had cred), I would...

The Slash Dotcasting Company (2)

PRickard (16563) | more than 12 years ago | (#249565)

...and that was today's episode of As The Massively Obvious Security Hole Turns, brought to you, as always, by Microsoft! 'Microsoft - What Do YOU Want To Crack Today?'

[annoying organ music]

Kids, don't forget to send in those Ovalteem labels for your free Windows XP Product Activation DECODER RINGS!

Tune in next week for our latest episode - Clippy's Revenge!

[more annoying organ music, followed by station identification]

Re:Read Closer. (2)

sharkey (16670) | more than 12 years ago | (#249567)

Of course, Ford doesn't advertise that their cars practically run themselves, with no operator needed. Nor do they include a "Getting Started" guide that gives the sense that nothing more is needed than the pointy, clicky, hit FINISH and it's running method. Their allowing their "certified" people to be churned out after a week of rote-cramming and little-to-no practical experience furthered that image. So many MCSEs have proved to be so obviously clueless that the idea that NT can be competently adminned by someone with a clue deficiency.

--

Re:bottom line (2)

sharkey (16670) | more than 12 years ago | (#249568)

Anyone running printer services over the Internet on a server is an utter moron for one.

How else would you run printer services over the Internet, assuming that's what you require? Throw an HP JetDirect box next to your router? Or set up an IPP daemon on a server you can secure, printing to the printers, and lock it down?

As an aside, are there any good, securable IPP daemons for any OS out there yet? I haven't touched Win2000's IPP service yet, and haven't had much chance to look into CUPS on Linux.

--

Re:Microsoft Announces New "RemoteRoot" Feature (3)

sharkey (16670) | more than 12 years ago | (#249569)

Quite so. The weary WebAdmin, as well as the SysAdmin and Network Operator can all sleep easy knowing that Joe RandomScriptKiddie is remotely administering the latest updates to their Win2000 servers for them.

--

Re:What's the problem? (5)

sharkey (16670) | more than 12 years ago | (#249570)

What if it's crawling or limping, as would be more likely than "running?"

--

I liked Infomation Week's coverage better. (1)

Mike McCune (18136) | more than 12 years ago | (#249572)

Some interesting quotes are:

"IIS has been a cancer on Windows 2000," he says. "Including that code in the Windows 2000 base vs. it being a separate application was a huge mistake."

InformationWeek:How much more complex is Windows 2000 security compared with Windows NT 4.0? And in what ways is it more complex?

Fossen: It's roughly 10 times more complex. The security infrastructure of Windows 2000 includes Active Directory, Encrypting File System, Group Policy, IPSec, Kerberos, public key infrastructure, remote-access policies, and smart-card logon services. NT security is characterized by the ad hoc plugging of security holes; Windows 2000 security is characterized by the management of these security services to make security scale across an enterprise. Holes still need to be plugged, of course, but now there are built-in tools to make even that effort easier.

http://www.informationweek.com/story/IWK20010502 S0 003

http://www.informationweek.com/834/winsec.htm

With Windows 2000's complexity and some poor design decisions, I have a feeling we will see more major security flaws in the future.

Re:Ugh. (2)

MadAhab (40080) | more than 12 years ago | (#249578)

Right on. (although CERT did release today).

But I also found the timing of the Microsoft announcement and the eEye announcement on Bugtraq interesting. They came out basically at the same time, and there is nothing about eEye's self-aggrandizing announcement that makes me think they would be particularly sensitive to protocl.

One of two things happened; either those eEye guys are more polite and rational than they sound, or else bugtraq held the announcements to coincide. Acutally I'm guessing both.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:Why we blame M$ (1)

QuantumG (50515) | more than 12 years ago | (#249580)

I'm sure eEye has a very long list of bugs just like this one that they will not release until the media attention dies down.

Re:bottom line (1)

QuantumG (50515) | more than 12 years ago | (#249581)

That's their business, it is hardly a new tactic. The only way to sell security is via the media, because only an expert can tell the difference between two security companies. They are indeed in it for the publicity. They are sending a very specific message to the media: if you had their product installed you would not be vulnerable (note: they had fixed this bug even before they found it!), but seeing as you dont, well here's the exploit kids, have fun. Actually it's not like that, but it was last time :)

Re:Hats off to eEye (1)

QuantumG (50515) | more than 12 years ago | (#249583)

All true. Personally I'd prefer they fix the bug than give out sploits to everyone. If you are going to write a sploit that puts a txt file in the root directory saying where the admin can get the patch, why not fix it yourself? It was just one byte ya know. Da fedz should write a one byte patch sploit and scan the net patching this for people. That would be sweet.

language solutions (3)

QuantumG (50515) | more than 12 years ago | (#249584)

Yawn, I'm not going to go over this argument yet again. The bug is essentially this one instruction:

mov [ebp+var_4], 202h

when the buffer is actually only 101h bytes long. So eEye could of made a one byte patch and released this, fixed the problem and then gone to Microsoft to get them to fix it in the source. But that's not the way it goes down. Microsoft has to be the one that makes the patch and although they beat the 30 day average I think 11 days to release a patch is pretty shameful (openbsd would patch this in under 6 hours, 24 hours being the maximum). Especially considering that mumblings of this bug were on bugtraq before April 19.

Re:Um, this is old news... (1)

Rix (54095) | more than 12 years ago | (#249585)

You seem to be assuming that everyone here is an admin...

Plenty of us have no reason to keep track of bugtraq - because we don't admin servers. However, this is a rather major story (compared to the ones you've mentioned, anyway), and I'm sure lots of people are interested.

If it had been Apache, BIND, sendmail, or something, it would be here just the same.

Cheers

So why? (2)

Rix (54095) | more than 12 years ago | (#249586)

He asked a valid question. Like it or not, Apache is the norm on the net (though not necessarily on the Win32 platform). So why should someone choose IIS over Apache?

Your post seems little more than an eloquent version of "Apache suxxors and IIS rules". Please tell us why IIS is a good choice.

Cheers

Buffer Overflows (5)

moeller (57451) | more than 12 years ago | (#249588)

The vast majority of security vulnerabilities are buffer overflows. This latest vulnerability extends this status quo. There are technologies out there that prevent this, however, almost all of these technologies slow down the system in some way or another. Examples include languages that allow dynamically sized arrays and other preventative measures.

CPU speed is growing such that it would appear that we could take a speed hit for increased security. Is it coming down to the fact that various organizations would rather market a fast webserver at the expense of a secure one? The $64,000 question is why the industry has not moved towards safer technologies that prevent these security holes.

Not that Microsoft is incredibly innovative on the security front, but they're hardly the only culprit. Many others rely on unsafe languages and techniques that allow these vulnerabilities to leak through.

When will it end? Is there any incentive to end?

Hats off to eEye (3)

tqbf (59350) | more than 12 years ago | (#249589)

eEye takes an incredible amount of shit from the White Hat "elite" --- the same people, like Marcus Ranum and Bruce Schneier, who villify the researchers at eEye have a noticeably softer take on Mudge and The L0pht. The difference between the two? The L0pht's non-research hacker involvement and a lot of trendy Boston VC money.

Of course, I'd be pretty upset too if a bunch of upstarts were singlehandedly obsoleting my practices and methodologies, like eEye (and groups like them) has done with "traditional" security consulting and management. I just hope all you people are watching now and paying attention to the contributions the security community gets from eEye's critics.

A published root hole in IIS is a coup for open source (when was the last "Administrator" break from Apache?). The disseminated fix will be a coup for full disclosure. Everybody wins. Except the dinosaurs.

Re:Apache can run as 'nobody' Why does IIS need ro (1)

oldman1080 (63173) | more than 12 years ago | (#249591)

I'm no expert in this area, but as I understand it, buffer overruns can get root access even when the program is running under user mode. If you read the article, it said that the buffer overrun caused IIS to shutdown, but unlike Apache or other servers it will automatically restart if it detects that it has crashed. (Kind of like how Windows will automatically scandisk after crashing, because its assumed that it will crash often). Anyway, my guess is that the buffer overrun code executes while IIS is starting up, between the point where the process is created (as Administrator) and the point where its priviledges devolves to a user.

Anyone more knowledgeable care to comment? I'm also curious how chroot()ed environments can help prevent root hacks in the linux environment. According to my admittedly sketchy theory, there is still the point where a process starts off as root, correct? Someone plz fill in! =)

Re:bottom line (1)

nmx (63250) | more than 12 years ago | (#249592)

They really are in it just for the publicity. So? Yeah, maybe it is sleazy of them, but at least someone found this exploit so that it could be patched. So what if it's free publicity for them? Would it have been better if a black-hat had found it and exploited it? I don't think so.

Re:Stop, wait, don't flame. (1)

nmx (63250) | more than 12 years ago | (#249593)

The writeup for the story didn't blindly insult Microsoft, or insult them at all, for that matter. It just said that there was a vulnerability, and that it's a potentially large problem. Both are true statements.

Most of the comments I've read haven't bashed Microsoft either. So your post is completely irrelevant. I don't blame you; it's the poor moderators that make karma whoring possible.

Of course, this will get modded down to -1 Flamebait in a matter of seconds, because I went and insulted the moderators. Oh well.

bottom line (4)

joq (63625) | more than 12 years ago | (#249594)

Lets get real for a second here. Anyone running printer services over the Internet on a server is an utter moron for one. Secondly shame on Microsoft for allowing by default just about everything under the sun to run, as opposed to other OS's which you'd have to configure a service to run.

Thats the most common problem with server security, is the lack of knowledge of some of the administrators setting them up. They don't truly know what is running either via way of moronically not being intuitive enough to know what ports are open for what services and why, or just not having a clue altogether.


Ryan Permeh, resident shellcode ninja of eEye Digital Security, has created an example exploit to be used as a "proof-of-concept".

Funny how many would whore out including the staff of eEye. Instead or placing a nicely written morally sound write up, they overhype the issue to promote their product.

Lets not forget, what goes around comes around [attrition.org] as eEye has seen in the past. I've purchased programs via my company from eEye, and they're not all that, nor are their advisories. Someone should teach those guys humility.

As for Microsoft, its just another one of their flaws, so I don't see what the big deal is.

removing the dot in dot com [antioffline.com]


When you try to be the end all be all (3)

SirSlud (67381) | more than 12 years ago | (#249596)

Since MSs products do this that the other thing and the last thing you ever want to do but not the thing you need to buy the 3rd party software for, is it really any surprise MS always suffers from escaped code review buffers? When you bite off more than you SHOULD chew, this 'll always happen. =)

Its a good thing for the OS community .. more granular projects lead to better security ...

Garret

Re:Why use IIS? (3)

Nailer (69468) | more than 12 years ago | (#249597)

Apache can run VB based ASP via closed addons from Chillisoft and Halycon software and Perl based ASP using Apache::ASP (I think that's what its called), an open source app.

Apache can also authenticate against NT domain security using the SMB PAM module.

IIS is administered through a standard interface which is very friendly. There are a few of these available for Apache, most notably a great Webmin module.

Many old versions of Apache modules were a bitch to package (ie. PHP3). Newer ones (ie. PHP 4) package great, but compile-heads who prefer using non known-good software that isn't supported by their distro because it satisfies their pathetic egos still like compiing, and less epxerienced admins think that's the standard way to do it.

And its SYSTEM, not 'root', on an NT box.

Call it the 4:20 sploit (1)

da5id (91814) | more than 12 years ago | (#249606)

The vulnerability arises when a buffer of aprox. 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request.

Heh Heh.

echo $email | sed s/[A-Z]//g | rot13

Re:Um, this is old news... (5)

blakestah (91866) | more than 12 years ago | (#249607)

As many people have pointed out, anyone reasonably experienced, and any "real" website, isn't vulnerable to this if they followed the best practice of deleting all app mappings that aren't in use. It's like the blank SQL sa password all over again. Easy to get worked up about, pretty much a nonissue for anyone who even halfway knows what they're doing.

Right. And millions of stolen credit card numbers as a result is only proof of stupid admins, not stupid software.

Software has an obligation to setup secure by default, and insecure by the expressed will of the admin. Apparently with IIS and/or MSSQL this little bit of advice is forgotten.

You can go on and on about how anyone who bothered to read the docs would not setup the server in a vulnerable way, but this ignores an INCREDIBLY important aspect of human nature. That default computer usage should be reasonable is assumed by default. 80+% of all web users NEVER change their home page. In a simliar vein, most web admins simply use the default install, irrespective of the potential holes pr default passwords.

The default install has to work securely, plain and simple. For IIS or MSSQL, there are obvious reasons that your customers' business is not safe if you used the default install.

Re:Apache can run as 'nobody' Why does IIS need ro (4)

bmajik (96670) | more than 12 years ago | (#249608)

Because unlike apache on unix, IIS has a built-in facility to let "webs" and "subwebs" take on different user priviledges.. giving not only a sort of "run-as" functionality to web apps easily, but also leveraging the NT security model for isolation between separate websites and apps on the same webserver.

To do this with apache, well, you're talking about extensions and helpers that break parts of apache and are security risks in their own right... "suexec" comes to mind... and apache still needs to run as root to let any of these work. Furthermore, does suexec work with php ? mod_perl ?.. or is it only a cgi-bin wrapper (i.e. killing apaches performance as a dynamic content server)

Fwiw, there may be better solutions than the old suexec on apache by now...

it is possible that via perhaps Impersonation, IIS could run as non-system and still have separate users and app protection etc, but thats tricky to program. There may be other reasons for IIS to run as system; what i've written is just a possibility.

Re:Stop, wait, don't flame. (1)

paxil (99137) | more than 12 years ago | (#249609)

If you have a Win 2000 server or know someone that does, just get the patch. Simple as that.

Yep. And much as I hate to say it, the security bulletin [microsoft.com] on the Microsoft site is well written and honest.

Re:Stop, wait, don't flame. (1)

Catamaran (106796) | more than 12 years ago | (#249611)

Yes, this seems to be a really nasty hole, but it doesn't appear as if it's been exploited (yet, of course).

That is very naive. This exploit is difficult to detect, and a real cyber-thief would not advertise his or her activities.

PS: this is not a flame.

One of the better quotes (5)

Mr Krinkle (112489) | more than 12 years ago | (#249616)

"However, this couldn't be used to conduct an effective denial of service attack, as the IIS 5.0 service automatically restarts itself after a failure. " If it takes me like one packet to shutdown the service(Hence the restart). I can generate lets say 4 packets per minute? (I really do have a better connection but) If I can not keep an IIS server thoroughly enough pissed with a small attack to prevent users Im confused. Not that I would but I just refuse to believe that while IIS is automatically restarting itself users would not be denied service. Oh well two cents. minus a dollar.

Re:Read Closer. (2)

pi_rules (123171) | more than 12 years ago | (#249622)

Even without that an admin should inspect anything that's viewable upon basic install -- and delete it if not needed. Really, this is like letting Apache install stuff to your cgi-bin/ directory and leaving it there even if you have no use for it.

A) This thing shouldn't have been installed by default. Oops on Microsoft.
B) If an admin is worth his weight in dirt he would have seen it already and canned it.
C) The MS coder that wrote something which would be included in a basic install should have been notified of this... and the code should have been properly audited. Odds are, whoever coded this ISAPI extension would have said upon notice that his extension would be in the default install something along the lines of, "WTF for? Nobody actually _uses_ this thing." :)

C would have fixed a few problems ... betcha anything the guy who coded it had no idea ever that this was in the default install. He's probably running around pisses as hell in the Redmond base right now because his "quick little addon" turned into a huge deal behind his back. :)

Justin Buist

Re:Um, this is old news... (1)

aiken_d (127097) | more than 12 years ago | (#249623)

Ye gods, I should hope my customers would *sue* me if I used the default install of any line-of-business app, without configuring it for their particular needs!

You talk about 80% of web users not changing their home page, but what does that have to do with web site operators? Surely you're not saying you'd run a completely default install of even Apache without at least going over the config files and making sure it's set up to offer the minimum featureset that you need for a particular site?

Right?

-b

Um, this is old news... (2)

aiken_d (127097) | more than 12 years ago | (#249624)

...at least by security standards. It's been all over bugtraq for the past few days.

Maybe I'll write a little app to just forward bugtraq emails which mention Microsoft to slashdot submissions. In case you *don't* follow bugtraq, and security is important to you, here's what else has gone on in the past few days that, oddly enough, will probably not rate slashdot articles:

- Debian sendfile root exploit (updated package available)

- Bugzilla shell exploit (updated info available)

- Iplanet calendar server exposes netscape admin password

- DoS against Novell Border Manager

...there's lots more. That's just in the past two days. But it's not news unless it's Microsoft, eh, folks?

-b

Re:Um, this is old news... (2)

aiken_d (127097) | more than 12 years ago | (#249625)

Fair enough, and you're right that the other news I cited was of problems less severe.

But in all fairness, when slashdot reports open source problems, it's not with the same gleeful tone that bad news for MS gets. "1 million servers! It could be more!"

As many people have pointed out, anyone reasonably experienced, and any "real" website, isn't vulnerable to this if they followed the best practice of deleting all app mappings that aren't in use. It's like the blank SQL sa password all over again. Easy to get worked up about, pretty much a nonissue for anyone who even halfway knows what they're doing.

I'll be the first to agree that this is both pressing and of widespread concern, but if Slashdot is concerned about being bashed, there are two easy steps to take:

1) Keep the tone about like it is for open source problems, more "Hey, everyone, you really need to patch XXXX" and less "Ha! Microsoft screws up AGAIN! Danger Will Robinson!" Anyone who's been around the block a few times knows that there are problems with ALL software products.

2) Do a touch of research and post what's actually going on currently, rather than one rather effusive press release. There's lots of history with this particular vulnerability -- some of which actually makes microsoft look worse -- so if you're going to be days behind bugtraq, at least bring some value-add editorial context to the whole thing by talking about the patch, MS's response, etc.

I love Slashdot. I just think it gets a bit emotional at times (hey, user posts should be as emotional as they want to be, but it's better when actual stories have a more professional feel).

Cheers
-b

Buffer Overflows are not the vast majority (4)

The Pim (140414) | more than 12 years ago | (#249630)

The vast majority of security vulnerabilities are buffer overflows.

I don't have numbers (probably only large espionage organizations do), but I'm willing to bet that's not true.

Buffer overruns undeniably get a lot of coverage on bugtraq--if you casually read the list, you'll be forgiven for thinking that buffer overruns are the overwhelming bane of computer security. But there are two biases to this observation:

  1. Buffer overruns get more talk than vulnerability reports. Go to the vulnerability database at SecurityFocus [securityfocus.com] and browse the recent reports. On the first page [securityfocus.com] , there are 28 vulnerabilities, of which only three explicitly mention buffer overruns. Even assuming that this is an unusually low number, and that a few buffer overruns aren't labeled as overruns, and allowing that buffer overruns tend to be more serious than the average vulnerability, this is hardly a preponderance.

    I frankly think the reason the discussion on bugtraq seems dominated by buffer overruns is that the community enjoys, and is comfortable, discussing buffer overruns. Even though the same religious issues (bounded arrays, language choice, non-executable stack, stack-guarding libraries) are rehashed over and over, people never get tired of them. Buffer overruns have a cherished place in security folklore. This is kinda nice in that it gives the community a common ground, but dangerous because it leads people to overlook the importance of other program flaws that can result vulnerabilities.

  2. bugtraq report statistics probably over-represent buffer overruns. This is related to the above discussion--buffer overruns are popular and well-worn ground. If you report one, everyone will understand it and you'll win sure ego points. So if you're going to search for vulnerabilities, you'll probably search for buffer overruns.

    Further, buffer overruns are plain easy to find. If you have source code, a few greps often take you right to the hole. Even if you don't, tools like fuzz [sourceforge.net] do pretty well (many bugtraq reports indicate that tools like this were used to find the overrun). Plus, contrary to what you might think, buffer overrun exploits are ususally easy to write, so don't think that turns of any would-be security gurus. Other classes of vulnerability usually require more analysis of program logic to find.

In short, even if we stop using languages with unsafe pointers tomorrow, our security woes will continue in full force.

Re:Um, this is old news... (1)

Sonicboom (141577) | more than 12 years ago | (#249632)

I submitted this story 2 days ago and it was "rejected". I mentioned this in another thread that was neither "news" or "stuff that matters" (it wasn't even humor) - and I was modded down for being a "troll".

Sometimes I don't understand /.

Anyway - re: this exploit - I am suprised that MS never saw this one coming... and I wonder how many corporations who are "too cheap" to hire REAL tech people will suffer the consequences of their frugality due to this overflow.

So.... (4)

Chester K (145560) | more than 12 years ago | (#249633)

Does anyone have a program that will exploit the hole and run code to automatically remove the .printer ISAPI mapping, then crash IIS so it will automatically restart with the new, safer configuration?

That would be a White Hat job.

Re:Stop, wait, don't flame. (2)

proxima (165692) | more than 12 years ago | (#249637)

Yes, hence my use of "yet, of course". Maybe this will encourage those lazy sys admins to download the patch.

Re:Stop, wait, don't flame. (2)

proxima (165692) | more than 12 years ago | (#249638)

I wasn't referring to the writeup, I was referring to the inevitable flamers who decide that as soon as they read Microsoft in a story they prepare their posts.

Stop, wait, don't flame. (5)

proxima (165692) | more than 12 years ago | (#249639)

Ok, so there's a major security flaw with Windows 2000 server computers running IIS 5.0 because this ISAPI extension is installed by default. A patch is already available, and for those who don't want to patch (why the hell not?), they can simply remove the extension.

Yes, this seems to be a really nasty hole, but it doesn't appear as if it's been exploited (yet, of course). Microsoft did release a patch and didn't try to play down its importance (so it seems to me). Those of us in the *nix community have had our share of root exploits in various daemons, so they crop up in even our most favorite software.

There is no reason to be blindly insulting MS or promoting the secureness of Open Source programs. Large, complex programs are subject to buffer overruns.

If you have a Win 2000 server or know someone that does, just get the patch. Simple as that.

Re:Read Closer. (2)

Alien54 (180860) | more than 12 years ago | (#249644)

Of course, Ford doesn't advertise that their cars practically run themselves, with no operator needed. Nor do they include a "Getting Started" guide that gives the sense that nothing more is needed than the pointy, clicky, hit FINISH and it's running method. They're allowing their "certified" people to be churned out after a week of rote-cramming and little-to-no practical experience furthered that image. So many MCSEs have proved to be so obviously clueless that the idea that NT can be competently adminned by someone with a clue deficiency.

In this context, here is this bit of classic humor, as they say, "found on the Net"

WHAT IF PEOPLE BOUGHT CARS LIKE THEY BOUGHT COMPUTERS?

General Motors doesn't have a "help line" for people who don't know how to drive, because people don't buy cars like they buy computers -- but imagine if they did . . .

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "I got in my car and closed the door, and nothing happened!"
HELPLINE: "Did you put the key in the ignition slot and turn it?"
CUSTOMER: "What's an ignition?"
HELPLINE: "It's a starter motor that draws current from your battery and turns over the engine."
CUSTOMER: "Ignition? Motor? Battery? Engine? How come I have to know all of these technical terms just to use my car?"

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "My car ran fine for a week, and now it won't go anywhere!"
HELPLINE: "Is the gas tank empty?"
CUSTOMER: "Huh? How do I know?"
HELPLINE: "There's a little gauge on the front panel, with a needle, and markings from 'E' to 'F.' Where is the needle pointing?"
CUSTOMER: "It's pointing to 'E.' What does that mean?"
HELPLINE: "It means that you have to visit a gasoline vendor, and purchase some more gasoline. You can install it yourself, or pay the vendor to install it for you."
CUSTOMER: "What!? I paid $12,000 for this car! Now you tell me that I have to keep buying more components? I want a car that comes with everything built in!"

HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Hi! I just bought my first car, and I chose your car because it has automatic transmission, cruise control, power steering, power brakes, and power door locks."
HELPLINE: "Thanks for buying our car. How can I help you?"
CUSTOMER: "How do I work it?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "Do I know how to what?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "I'm not a technical person! I just want to go places in my car!"

Check out the Vinny the Vampire [eplugz.com] comic strip

Re:And of course... (1)

Erasmus Darwin (183180) | more than 12 years ago | (#249645)

t's more important to the /. community to be informed of MS bugs than *nix ones? I think not.

One could argue that to the stereotypical /. community (avoiding the arguments of how no stereotype truely captures even a majority of the opinions on Slashdot) MS bugs are news (i.e. "That's nice. Discuss amongst yourselves or whatever.") while *nix bugs are alerts (i.e. I don't want to wait until the Slashdot editors feel it's the proper time to post the story in order to keep the intended news pace).

Why we blame M$ (3)

autocracy (192714) | more than 12 years ago | (#249646)

Nobody really considers Apache insecure, even if a major flaw was found in it. Why? Because flaws of this level are rare in Apache. M$, however, has fallen victim to 2 things. The first is that they push out a lot of bugs and sometimes break things with patches rather than fix them. The second is EVERYBODY hears about it when they have a bug. Even your grandmother.

You only come down really hard on the kid that is always in trouble...

REAL /.ers only have a karma of 49...

Re:Why use IIS? (1)

madenosine (199677) | more than 12 years ago | (#249651)

Apache on any version of windows is not stable, nor fast (although it is being worked on.) IIS, however, intergrates with (some versions of) NT, and runs much better than apache on NT. That isnt to say that apache on FreeBSD doesnt compete with IIS, just that apache on NT doesnt compete with IIS on NT. What it really comes down to is using NT or Unix, and the reasons for using NT vary.

Re:Well... (1)

Ergo2000 (203269) | more than 12 years ago | (#249652)

Any self-respecting sysadmin would have removed all ISAPI mappings except for .asa and .asp on installation (standard security procedure) and this wouldn't be an issue for them. That isn't to say that there probably isn't issue with the ASP ISAPI module, but at least it's heavily tested. Many of the other modules are fringe and likely to be vulnerability candidates.

However the same update requirement (i.e. keep on top of security patches) holds true for every OS and every system.

Re:The Media (2)

Ergo2000 (203269) | more than 12 years ago | (#249653)

No holes like this exist in Linux

I'm presuming that this is just a troll, but in case you're serious there are a number of holes just like this for Linux, and there remain thousands or millions of Linux servers that haven't properly been patched up (just as there are NT 4 servers with holes 2 years old out in the wild).

Re:Why use IIS? (2)

Ergo2000 (203269) | more than 12 years ago | (#249654)

My question is, why not run apache on Windows NT/2000?

This is a circular question: Why not run IIS rather than Apache? What you really are likely to get in response are zealotry replies about how IIS suxxors and Apache rules. In reality IIS 5.0 is a very high performance, high reliability system that excellently integrates with the security subsystem of NT/2000. But preferences vary and others will likely think differently for reasons that make sense for their needs.

Re:bottom line (1)

GigsVT (208848) | more than 12 years ago | (#249659)

So? Yeah, maybe it is sleazy of them

Then we are in total agreement, we both think eEye is sleezy. :)
-

Re:bottom line (2)

GigsVT (208848) | more than 12 years ago | (#249660)

Funny how many would whore out including the staff of eEye

I don't know if anyone remembers, but eEye pulled this same shit about a year and a half ago. They found some vulernability, and used it just to promote their (then shitty, havn't checked it lately) security scanner.

I think they spend more time trying to find exploits than they do working on their product. They really are in it just for the publicity.
-

Re:The servers don't always come back (2)

willy_me (212994) | more than 12 years ago | (#249661)

"A friend" of mine just tried this on a local server and found that it doesn't reboot the web server - or if it does it doesn't always come back. Expected 10 seconds of downtime but instead the server responds with an "error -3108".

Woops.... Hope they get it running again soon. "He" never would have done it had "he" known this was going to happen. But regardless, this exploit can most definately deny service to users. (Just check out www.ncix.com - they're down as I write this. I bet "my friend" will think twice before testing any other servers.)

Willy

Microsoft Announces New "RemoteRoot" Feature (5)

tenzig_112 (213387) | more than 12 years ago | (#249662)

Remote web server administration is a real pain. With all the various firewall security packages out there, it can make a weary IT manager even wearier.

Let Microsoft take you away from all that. With our new RemoteRoot feature for IIS on Windows2000, users can log in as root from remote sites without all the muckety muck.

Forgot your password? No problem. RemoteRoot makes getting in easy.

Microsoft has partnered with the company responsible for Zero Click [ridiculopathy.com] technology to bring you this wonderful new feature. You can read more about it on their web site. [ridiculopathy.com]

What's the problem? (5)

curtS (214040) | more than 12 years ago | (#249663)

The MS writeup clearly states "Note: The vulnerability is only exposed if IIS 5.0 is running."

Warning (funny) (1)

Cardhore (216574) | more than 12 years ago | (#249664)

Please! Make sure you get the printer-friendly [microsoft.com] version of the Microsoft document.

Otherwise you'll overflow your printer's buffer, too.

(It turns out the latest development code of Retina was able to find a buffer overflow within the .printer ISAPI filter (C:\WINNT\System32\msw3prt.dll) which provides Windows 2000 with support for the Internet Printing Protocol (IPP) which allows for the Web based control of various aspects of networked printers.)

Read Closer. (5)

rabtech (223758) | more than 12 years ago | (#249665)

From the Microsoft Bulletin:

Servers on which the mapping for the Internet Printing ISAPI extension has been removed are not at risk from this vulnerability. The process for removing the mapping is discussed in the IIS 5.0 Security Checklist. The High Security template provided in the checklist removes the mapping, as does the Windows 2000 Internet Security Tool unless the user explicitly chose to retain Internet Printing


So in effect, if the admin who setup the webserver is in ANY way competent, he should have already been over the checklist and applied the template, both of which discuss removing this extension. If he's lazy and only used the SecTool, that would still do the job.



-------
-- russ

"You want people to think logically? ACK! Turn in your UID, you traitor!"

Re:Read Closer. (5)

rabtech (223758) | more than 12 years ago | (#249666)

"If the person who setup the webserver was in ANY way competent, do you think they would be using IIS?"

Better go tell Dell, Microsoft, eBay, NASDAQ, Intel, etc. that they don't have a clue.

Setting up IIS securely takes work, just as doing so on a Linux box does. The problem is that many so-called "WinNT/2K Admins" are clueless. They click Install, and see that they can get to their web page. They then assume everything is OK.

A "real" admin would get on the various security lists [microsoft.com] , go through the MS checklists [microsoft.com] , apply the high-security template [microsoft.com] , and download the scripts that Microsoft used to help secure their own W2K webservers. The admin would also stop by the MS security site [microsoft.com] at LEAST once per month, if not more. They even have a security Tool [microsoft.com] that can baby-step you through the configuration if the registry scares you.

Don't blame Ford when you had your keys to a 3 yr old and they wreck the car....

Of course in this particular case, Microsoft should have performed better testing, but still...

-------
-- russ

"You want people to think logically? ACK! Turn in your UID, you traitor!"

Re:if eEye is so cool... (1)

FreeMath (230584) | more than 12 years ago | (#249667)

To go with a dorky tagline:

Old McBill had a server farm, eEye eEye Ohhh...

Re:Um, this is old news... (1)

2ms (232331) | more than 12 years ago | (#249669)

Um, or maybe it's not news unless it affects about a million times more servers than any of the other examples you've cited.

New? (2)

rppp01 (236599) | more than 12 years ago | (#249671)

Uhm, isn't this version 5? It shouldn't take 10 versions of a software to get it right, does it? Or maybe we are talking about MS here, and that changes the rules. I am actually impressed that MS is pushing the patch for this like they are.

Give them props for doing what we always slam them for not doing-- responding quickly to a large exploit.

Though it does nothing for all the other exploits for win NT/2k out there.....

Well... (1)

joshyboy (237516) | more than 12 years ago | (#249672)

Think about it...new, microsoft -> buggy.
And really, this wasn't completely unexpected - in fact, any self-respecting sysadmin (using windows [even for a personal web-server], almost an oxymoron) would have PLANNED on making an update sometime in the near future.
--

Re:Seriously? (3)

einhverfr (238914) | more than 12 years ago | (#249673)

Did anyone ever not expect a big security hole in this?

Let me see--

  • OS-level web server
  • NT codebase
  • Microsoft
hmmmmm..... Perfectly expected. The first item is a major reason why I am avoiding Tux until either I can further test it or it has more real-world testing.... Although Tux runs on Linux, I have serious problems running server software which runs with that kind of machine access. I will stick with Apache running as Nobody....

Re:Why use IIS? (3)

einhverfr (238914) | more than 12 years ago | (#249674)

My question is, why not run apache on Windows NT/2000? Does IIS have any major advantages over apache and the wide range of addons which are available for it?

Hmmm.....

  1. Apache (at least 1.x) is a resource hog in Windows computers because of posix emulation among other things (and no shared memory).
  2. IIS is much faster on Windows than Apache (at least 1.x)
  3. Apache performs better on UNIX/Linux than on Windows
I can't see running this environment currently...

Re:The Media (1)

hammock (247755) | more than 12 years ago | (#249676)

Did you install Windows 2000 Server or Advanced Server on your desktop, and selected to install the DNS server to serve clients on the public internet?

I sure didn't install BIND on my Linux desktop, just like you don't run a nameserver on yours.

You want to trash talk BIND, go ahead. Linux is not BIND.

"Why didn't I join Microsoft? [LAUGHTER]"

Re:Um, well, kernel 2.4.3 has integrated WWW suppo (3)

hammock (247755) | more than 12 years ago | (#249677)

Here [indiana.edu] is the accouncement for khttpd in June 1999. That's pre-2.4 if you didn't notice, the current kernel at the time of announcement was 2.2.9
Alan Cox wasn't sleeping, here [indiana.edu] is his 2c worth, about 2 weeks after the announcement. It's just a special in-kernel cache after all, not like running IE5 or IIS5 wholly in the kernel like some other OS's.

The home page is http://www.fenrus.demon.nl [demon.nl] . kHTTPd only serves up static content, all non-static stuff is passed to a userland webserver, like Apache or Zues.


"Why didn't I join Microsoft? [LAUGHTER]"

Re:interesting (4)

hammock (247755) | more than 12 years ago | (#249678)

Would a r00t exploit in the latest linux kernel make slashdots front page? I've often wondered this.

You sir are an idiot. Please click the links at your leisure.
Security Flaw with Linux 2.4 Kernel and IPTables [slashdot.org]
New Linux Worm [slashdot.org]
Linux 2.1.* Security Hole [slashdot.org]
*BSD procfs vulnerability [slashdot.org] Hey a BSD one!!
Linux 2.2 DoS Attack [slashdot.org]
IP Frag Exploit in Linux Kernel [slashdot.org]
New Linux Security Holes [slashdot.org]
Cracking All The Live Long Day & RH6/7 [slashdot.org]


"Why didn't I join Microsoft? [LAUGHTER]"

It's been around sometime... (1)

jsse (254124) | more than 12 years ago | (#249681)

since the beginning of last [cybercable.fr] year, which allow remote attacker to display path of the web server.

They might have patched the hole since, but it seems that it surfaced again....Oh well.

Re:The Media (3)

geomcbay (263540) | more than 12 years ago | (#249683)

Actually, I find the opposite to be true. Holes in Microsoft servers tend to be much more widely reported, even if they are fairly harmless (which this one is admittedly not).

There's been virtually billions of 'remote root' level holes in Sendmail alone, nevermind the various other daemons that ship with one or more standard Linux (and/or other UNIX based system) distributions..While these are reported on the geek/security sites like buqtraq, they rarely make it to the mainstream.

Anyway, this is bound to turn into a long useless series of Microsoft-sucks, Linux-sucks posts...But the reality is every OS, open source or closed, has major bugs found in it from time to time...glass houses..stones...etc. Try not to feed the trolls.

Re:Why use IIS? (5)

geomcbay (263540) | more than 12 years ago | (#249684)

IIS is generally considered to be quite a bit faster than the standard Apache distribution -- which isn't that surprising since Apache has never really been about raw speed.

IIS is also far easier to install and maintain, it uses Microsoft's standard MMC console admin interface..Of course, there's two sides to the ease-of-admin issue (many will argue it invites security risk due to low-clue admins being able to do the job, half-assedly).

Probably the most important feature, though, is Active Server Pages functionality. The ability to write parsed HTML code in any of the languages supported by Microsoft's Active Scripting (JScript, VBScript, Perl, Python, etc), with the added bonus of access to pre-built COM objects.

It is quite nice. Personally, I prefer PHP for most web-app development..but the wide variety of language choice and the COM integration are pretty cool if you don't mind locking your box to Microsoft technology.

Not only Microsoft... (3)

Scoria (264473) | more than 12 years ago | (#249685)

... Every new .0 release is generally pretty buggy. It's almost smarter to wait until .1 and .2 releases to upgrade.

Look at RedHat 7.0, for example. Don't bash MS because they have bugs -- to do that would be hypocritical.

Re:One of the better quotes (1)

wroot (264810) | more than 12 years ago | (#249686)

The exploit allows you to do anything (TM).

You can find the C program that writes to C:\ HERE [eeye.com]

Wroot

Re:The Media (3)

Nurgster (320198) | more than 12 years ago | (#249693)

No gaping holes in LInux?

Of course, the mad rush to upgrade to 2.2.16 was purely cosmetic, and had nothing to do with a root exploit affecting all the previous kernels of the 2.2 series.

And BIND has never had a serious exploit in it. Oh no.

[Note for the sarcasm impaired: That was sarcasm]

Re: Buffer Overflows... It's the language! (2)

oodl (398345) | more than 12 years ago | (#249699)

The choice of programming language significantly affects the security (and quality) of the software in question by elimination of whole classes of errors. Buffer overflows are just not possible in the more abstract programming languages such as Lisp, Dylan, Sather, Eiffel, Cecil, ML, OOCaml, and others. Pointer or memory management problems such dangling pointers or memory leaks are not possibilities either.

That covers the most common programming errors in C/C++. In C/C++, the programmer manipulates raw addresses and allocates and deallocates memory manually. In the other languages, the programmer doesn't have access to raw addresses or manipulate memory directly, so the programmer can't cause crashes and neither can an opponent.

This is all obvious... but no one seems to learn it.

Most of these language have very efficient implementations for them... meaning that they have compilers that can produce code that performs in the neighborhood of C code (or sometimes better). And these languages from the Lisp or functional families are much more productive than C/C++.

Re:So why? (1)

lateefj (412468) | more than 12 years ago | (#249703)

"(User #448875 Info) http://www.geocities.com/carlgt1 I think the development is easier & faster in IIS, e.g. using VB or C++ for distributed COM DLL's; or just using ASP pages with ADO or Oracle Objects for OLE. So right there is a big reason I know a lot of places like IIS. "

I think development is easier & faster on Apache, e.g. using PHP or Java. First of all it is important to point to the enviornment that I am developing on, Linux. Windows as much as it tries does not have a console, and I mean a full featured console not some lame non-maximizing thing.

It is much easier, faster (perfomance and time) and with more funcitonality develop a web site in PHP vs ASP (PHP can access COM object). If we are talking a web application which is diffrent than a web site then JSP/Servlet in the long run offers more bang for the buck.

Apache running on a 486 can probably put out 10mb of static web pages (can IIS even run on a 486?). From a developers point of view Apache takes up very little resources and can be configured to integrate with more systems then IIS. From a development stand point the more options I have the better. Did I mention the $$$$?

Re:So why? (3)

carlgt1 (448875) | more than 12 years ago | (#249709)

I think the development is easier & faster in IIS, e.g. using VB or C++ for distributed COM DLL's; or just using ASP pages with ADO or Oracle Objects for OLE. So right there is a big reason I know a lot of places like IIS.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...