Feeds

back to article New IIS attacks (greatly) expand number of vulnerable servers

Attackers have begun actively targeting an unpatched hole in Microsoft's Internet Information Services webserver using new exploit code that greatly expands the number of systems that are vulnerable to the bug. In an updated advisory published Friday, Microsoft researchers said they are seeing "limited attacks" exploiting the …

COMMENTS

This topic is closed for new posts.
Paris Hilton

Could someone explain to me..

...why Microsoft have to wait until tuesday to apply patches? I know the ones coming out on tuesday don't apply to this vuln, but if the patches are critical like they say surely waiting until tuesday (every time!) is just - well - stupid!?

Paris, well because it's just a bit blonde!

0
0

Every time I read that as ISS,

and then wonder who would be attacking it

0
0
Gates Halo

blah?

http://en.wikipedia.org/wiki/Patch_Tuesday - In order to reduce the costs related to the deployment of patches, Microsoft introduced the concept of Patch Tuesday.

non-critical patches are release in bulk for patch Tuesday. Critical Patches are frequently released on a one-off basis and likely when MS gets around to approving one for this IIS vulnerability it will likely be one of the one-off patches.

0
0
Stop

What I find interesting...

... is that people keep saying that the webserver is insecure, when, in fact, the vulnerability has nothing to do with the web services, any more than it has to do with the SMTP services.

Microsoft has always had poor FTP support, and hardly anybody who uses IIS as a webserver in an internet-facing commercial environment uses Microsoft's FTP service. Those that do get what they deserve.

0
0

This post has been deleted by its author

Megaphone

Why does MS tell the world 'what's' venerable?

Wouldn't it be better to just be limited in saying there's a problem with said program and leave it at that like that 'other' software outfit?

0
0
WTF?

@Mosh Jahan

>Since there is a simple workaround, what difference does it make if it's not released until Patch Tuesday?

Err, you mean turning it off?! Given the universality of that 'workaround' you could say that about any vulnerability.

0
0
Anonymous Coward

Ha

Now what are the linux fanbois going to say with their "open source"?

Oh.

0
0
Bronze badge

@Player16

MS used to try to be more closed when publicising vulnerabilities, but came in for a lot of criticism. Damned if they do damned if they don't.

Since the recent Apache cock up it seems that users are damned both ways as well.

0
0

@Player16

This particular vuln is being actively exploited. Obviously the crooks already know about it. Keeping it under wraps now does no good anymore (especially if there's a work-around that admins need to know about -- time to check our IIS servers...).

0
0
This topic is closed for new posts.