Attackers have begun actively targeting an unpatched hole in Microsoft's Internet Information Services webserver using new exploit code that greatly expands the number of systems that are vulnerable to the bug. In an updated advisory published Friday, Microsoft researchers said they are seeing "limited attacks" exploiting the …
Could someone explain to me..
...why Microsoft have to wait until tuesday to apply patches? I know the ones coming out on tuesday don't apply to this vuln, but if the patches are critical like they say surely waiting until tuesday (every time!) is just - well - stupid!?
Paris, well because it's just a bit blonde!
Every time I read that as ISS,
and then wonder who would be attacking it
http://en.wikipedia.org/wiki/Patch_Tuesday - In order to reduce the costs related to the deployment of patches, Microsoft introduced the concept of Patch Tuesday.
non-critical patches are release in bulk for patch Tuesday. Critical Patches are frequently released on a one-off basis and likely when MS gets around to approving one for this IIS vulnerability it will likely be one of the one-off patches.
What I find interesting...
... is that people keep saying that the webserver is insecure, when, in fact, the vulnerability has nothing to do with the web services, any more than it has to do with the SMTP services.
Microsoft has always had poor FTP support, and hardly anybody who uses IIS as a webserver in an internet-facing commercial environment uses Microsoft's FTP service. Those that do get what they deserve.
Why does MS tell the world 'what's' venerable?
Wouldn't it be better to just be limited in saying there's a problem with said program and leave it at that like that 'other' software outfit?
>Since there is a simple workaround, what difference does it make if it's not released until Patch Tuesday?
Err, you mean turning it off?! Given the universality of that 'workaround' you could say that about any vulnerability.
Now what are the linux fanbois going to say with their "open source"?
MS used to try to be more closed when publicising vulnerabilities, but came in for a lot of criticism. Damned if they do damned if they don't.
Since the recent Apache cock up it seems that users are damned both ways as well.
This particular vuln is being actively exploited. Obviously the crooks already know about it. Keeping it under wraps now does no good anymore (especially if there's a work-around that admins need to know about -- time to check our IIS servers...).