Every time I read that as ISS,
and then wonder who would be attacking it
New IIS attacks (greatly) expand number of vulnerable servers
Attackers have begun actively targeting an unpatched hole in Microsoft's Internet Information Services webserver using new exploit code that greatly expands the number of systems that are vulnerable to the bug. In an updated advisory published Friday, Microsoft researchers said they are seeing "limited attacks" exploiting the …
This topic is closed for new posts.
Could someone explain to me..
...why Microsoft have to wait until tuesday to apply patches? I know the ones coming out on tuesday don't apply to this vuln, but if the patches are critical like they say surely waiting until tuesday (every time!) is just - well - stupid!?
Paris, well because it's just a bit blonde!
blah?
http://en.wikipedia.org/wiki/Patch_Tuesday - In order to reduce the costs related to the deployment of patches, Microsoft introduced the concept of Patch Tuesday.
non-critical patches are release in bulk for patch Tuesday. Critical Patches are frequently released on a one-off basis and likely when MS gets around to approving one for this IIS vulnerability it will likely be one of the one-off patches.
What I find interesting...
... is that people keep saying that the webserver is insecure, when, in fact, the vulnerability has nothing to do with the web services, any more than it has to do with the SMTP services.
Microsoft has always had poor FTP support, and hardly anybody who uses IIS as a webserver in an internet-facing commercial environment uses Microsoft's FTP service. Those that do get what they deserve.
@Northern Monkey
Since there is a simple workaround, what difference does it make if it's not released until Patch Tuesday?
Why does MS tell the world 'what's' venerable?
Wouldn't it be better to just be limited in saying there's a problem with said program and leave it at that like that 'other' software outfit?
@Mosh Jahan
>Since there is a simple workaround, what difference does it make if it's not released until Patch Tuesday?
Err, you mean turning it off?! Given the universality of that 'workaround' you could say that about any vulnerability.
Ha
Now what are the linux fanbois going to say with their "open source"?
Oh.
@Player16
MS used to try to be more closed when publicising vulnerabilities, but came in for a lot of criticism. Damned if they do damned if they don't.
Since the recent Apache cock up it seems that users are damned both ways as well.
@Player16
This particular vuln is being actively exploited. Obviously the crooks already know about it. Keeping it under wraps now does no good anymore (especially if there's a work-around that admins need to know about -- time to check our IIS servers...).
This topic is closed for new posts.
Sign up, sign up for The Register's weekly IT security newsletter - click here
Popular Whitepapers
- The BI Inflexion Point
Information is a right, not a privilege - Risk and Resilience
The application availability gamble - Register Research on: Agile development - is it right for you
Reaping the benefits of modern software practice - The Register Guide to managing spam
A primer on the implications for enterprise IT - The Register Guide to email security
A primer on the challenges of securing email and approaches to resolving them - High Performance for All
Responding to the needs of compute-intensive workloads
