Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft's Internet Information Services webserver. "Microsoft and Ball State now have identified the cause of the breach [as] a Ball State iWeb user [who] either misused or allowed …
IIS should be...
... taken out and shot. That's the only real way to put an end to IIS vulnerabilities.
So shooting it for vulnerabilities that have now been said not to exist is such an obvious solution. I'm sure Apache is not vulnerable to someone misuing an account that has permissions to do *bad stuff*.
(sits back and waits for all the fanbois that trashed this as being an IIS issue in the initial story to come back and say sorry for jumping the gun)
What the fuck are you talking about?
IIS hasn't had a single critical security vulnerability since II5. IIS6 and IIS7 have yet to have a critical security hole discovered.
Unlike Apache which has had at least 3 or 4 in that time. (Admititly early on but whilst IIS6 was about)
Whodda fort it....
Gobby helpdesk manager having just read the IT press is wrong about compromise of server.
Waiting for the investigation to finish, before announcing the results would have been wiser.
Except that this WASN'T a vulnerability, at least not a technical one. I think these sort of errors are characterised as Problem Exists Between Keyboard And Chair...
Once upon a time there was a little man who was poor and had no house, so he and his family lived in a cave. One day a big man came along and built him a house. 'But if I build you a house, you must look after my dog', said the big man. So the little man looked after the dog.
One day the dog turned nasty and ate the little man's kids. But the little man was scared the big man would take his house away, so he told the policeman that the dog didn't do it.
That's all for today children. 'Newsround' next, and then 'Grange Hill'.
Read again, Vulnerability does exist
I count three people somehow coming to the conclusion that no vulnerability exists in IIS .... huh?
Often wonder if people actually read the entire article before penning their replies, or is being the first to comment or flame someone more important than knowing what you are talking about? The vulnerability does exist, it just wasn't exploited in this instance.
Most of the bad press is related to IIS5 not IIS6
IIS 5 was a security nightmare but IIS6 has been much better (i'm not saying it's the best or drawing comparisons so simmer down) in fact it's become quite a dull subject on the security front much better than most MS software. Take a look at the list it's hardly an issue a week is it now in fact it looks like one a year.
ISS stick sucks though...
Of course IIS had security issues as does apache and probably most other servers. But that's not the whole issue here, IIS is still poo even if it didn't have any issues just for it being so ... annoying.
I have had someone hack my apache webserver once... on my home computer. My own fault for not firewalling it to outside connections, I didnt know there were any problems with it until that point. Someone thought it might be funny to put a paypal scam site on my web server... to this day I still do not know how they did it and all I had was a php page with a couple of graphs on it ^^ and it was set up securely.
This was back in the Mandrake days though...
I hope the ISS isn't using IIS.
If they are, expect lumps of flaming metal to come hurtling down out of the sky very soon.