Re: Big IIS doodoo

[Jeff Licquia <jeff@luci.org>]

On Tue, Jun 15, 1999 at 09:05:09PM -0500, John Corey wrote:
> 
> I just did a little research comparing this to the recent ICMP
> denial-of-service attack, put up on <A
> HREF=http://slashdot.org/comments.pl?sid=99/06/15/2057242&threshold=0&commentsort=0&mode=thread&pid=3#134>Slashdot</A>. 
> What makes it even more interesting is that MS themselves claim to have
> discovered it on May 28, so 18 days and counting for a real fix (for
> those sites that rely on the use of .HTR files, whatever they are).

"Uh, uh, yeah, uh, sure, umm.... yeah, we already knew about that.
Yeah, that's it.  We found out about it over a week earlier.  But, uh, 
thanks anyway.  Just keepin' ya on your toes, sure!"

Like we trust them to do anything more than lie to make them look
good.

If they knew about it and kept it secret, they did their customers a
big disservice, fix or no fix.  There's an easy workaround, and this
is AFAIK the biggest security bug in a Microsoft product since the
Win95 file sharing bug.  (Not that they responded to that one in a
timely manner, either, or engage in some stealth marketing and FUD on
the way.)  Possibly, it's even bigger than that.

ObLinux: That's why it's so much better to look in the source for
yourself than to trust a vendor, especially one with such an unsavory
reputation.

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.