[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Big IIS Doo Doo, Code Red Edition.



"Microsoft security flaw threatens Web"
By Robert Lemos: Special to CNET News.com 
June 18, 2001, 2:20 p.m. PT
<http://news.cnet.com/news/0-1003-200-6312094.html>

"The flaw occurs in a component of Microsoft's Internet
Information Service (IIS) software that is installed
on Web servers by default, said Marc Maiffret, chief 
hacking officer with eEye Digital Security, the company
that found the flaw..."

"The vulnerability lies within the code that Microsoft's
IIS server uses to support indexing, a feature that speeds 
searching on Web servers. The module, known as the Indexing
Service ISAPI Filter, does not properly check for buffer
overruns, a common problem in software.  Maiffret estimated
that at least 50 percent of all IIS servers--about 3 
million--still have the default component installed and
are thus vulnerable."

Two years ago, almost to the day of the above, Damascus
wrote a message to this list entitled "Big IIS Doo Doo." 
That was discovered by eEye and also concerned ISAPI.  
Hm...  <http://www.luci.org/luci-discuss/msg01326.html>

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.