back to article Microsoft IIS hole fells university server

This story was updated at 21st May 2009 05:01 GMT to include Microsoft comments refuting the university's claims that the IIS vulnerability was exploited in the attack. It was updated again at 21st May 2009 23:10 GMT to note that University officials have recanted their claims. Please see this updated story. Hackers have wasted …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Whoops!

    A good time to get rid of IIS!

  2. Henry

    Troll

    And replace it with what? Another web server with its own vulnerabilities?

  3. Anonymous Coward
    Flame

    re. Whoops!

    Is there ever a BAD time to get rid of IIS??!

  4. This post has been deleted by its author

  5. John
    Pirate

    Use nginx

    Replace it with Nginx rather than Apache. It would be interesting to see a comparison of IIS vunerabilitys to Apache, I suspect the number doesn't differ greatly. Both are heavy and slow webservers IMO.

  6. Pierre

    That's what happens....

    ... when you insist on using insecure, non-production-ready software. MS stuff should be used only by kids, as a gaming platform.

  7. Shingo Tamai
    Flame

    IIS because...

    @Clueless

    >Why would anybody use Microsoft IIS webserver instead of Apache????????

    Because it is easier to *click click click* configure.

    Oh, wait....

  8. Anonymous Coward
    Coat

    Working with Microsoft Employees?

    Since when does this ever happen? There is something fishy about this story.

  9. Dennis
    Boffin

    Re: Troll

    "And replace it with what? Another web server with its own vulnerabilities?"

    If you actually need WebDAV then there are advantages to using Apache. With Apache WebDAV can be applied on a per-container basis rather than system wide. The existence of WebDAV functionality is only betrayed by the module appearing in the server identification string (and this can be supressed). The response to the OPTIONS command will only show the WebDAV commands if you quote the relevant path. The WebDAV commands do not appear in response to OPTIONS / (assuming WebDAV has not been included in the definition of the root directory).

  10. Anonymous Coward
    Heart

    title

    IIS => The IE6 of web servers

  11. Anonymous Coward
    Linux

    Linux

    *Waves*

  12. Kevin

    LOL IIS

    Seriously I used IIS on my 1st webserver

    it was raped left and right in 3 days by people exploiting it (it was fully patched)

    Swapped to apache and have had 0 breaches in years.

    Sure apache is a little bit harder to configure but IMO the amount of headaches it saves you from its well worth it

  13. gabor
    Happy

    Re: Clueless

    errr... Because for some purposes, it is better?

  14. Anonymous Coward
    Anonymous Coward

    Re : LOL IIS

    Go on then - post the server address. Maybe it is just lack of traffic?

  15. lennie
    Coat

    I think the question

    why haven't they upgraded to 7 yet? why are they still on iis6? Anonymous, Apache is ok but its not the have all end all browser. Apache would work great for the average person but IIS brings a lot to the table that large corperations and institutions need. so your question isn't really a valid one....well its half valid. however the reason they use IIS is the same reason they IE because they a lot to the table that a lot of regular users can't/won't apreciate.

    That said, My school upgraded to server 2008 already. schools get a freakishly large discount on MSFT products, I'm full circle back to my original question, why haven't they upgraded yet?

    mine is the one with Server 08 in it.

  16. Anonymous Coward
    Anonymous Coward

    Err...

    Funny how the MS guys are only just investigating the problem, but it is known to the helldesk person that the problem was the WebDAV vuln? Aren't investigations supposed to complete before you announce what is wrong, or did I miss something in the article?

    (Not saying it's not WebDAV vuln, just saying.)

  17. Maliciously Crafted Packet

    NIX vs Windows security stories...

    generally fall into two categories.

    Those reporting on NIX by and large talk about potential vulnerabilities.

    Those reporting on Windows by and large talk about actual exploits.

    I know this is tiresome but it has to be said again and again until it sinks in to the disinterested skulls of those that run these large organisations.

    The enterprise has standardised on the wrong operating system. Windows is broken. It does not work. Its costing billions in lost productivity and security headaches.

    Just as our broken parliamentary system and our broken banks need to reform. IT needs to do the same and rip the guts out of its old tired Windows only strategy and replace with something that works. That being OS X on the desktop and LINUX in the server room. (I don't yet think the cloud is mature enough).

    Yes it will be hard and painful, but most things that worth fighting for are difficult and the path stony. But look what lies at the end of this hard trodden road.

    Imagine a world without spam. Imagine a world without worms or self replicating viruses. Imagine being able to spend the majority of your time actually improving your organisations productivity instead of firefighting exploits day in and day out.

    Imagine a world without Windows.

  18. Mike VandeVelde
    Stop

    lennie, lennie...

    Why haven't they upgraded yet?

    Mayhaps because Microsoft themselves recommend against it?

    http://www.networkworld.com/news/2009/051409-microsoft-teched.html?page=2

    rofl!

  19. Destroy All Monsters Silver badge
    Paris Hilton

    Ahhh..... I feel younger again

    It's like it's the golden times again --- before the dot.com crash and the endless War On Stuff bullshit; back when I learnt about Apache config files using a book not bought online and hacked servlet code in vi -- and when using IIS was considered a honour badge of FAIL.

    Happy times...

    Where is the nostalgia icon? Paris will have to do.

  20. Anonymous Coward
    Stop

    @ Trolls

    IIS 5 was a security nightmare but IIS6 has been much better (i'm not saying it's the best or drawing comparisons so simmer down) in fact it's become quite a dull subject on the security front much better than most MS software. Take a look at the list it's hardly an issue a week is it now in fact it looks like one a year.

    http://secunia.com/advisories/product/1438/?task=advisories

    As for why people would use IIS6 well it's there built in (admitedlty it has to be installed but it's on the CD) and integrates with the rest of the server well, .NET framework, sharepoint, office live, WSUS (important one that)...most other MS apps.

  21. Anonymous Coward
    Anonymous Coward

    re: I think the question

    "why haven't they upgraded to 7 yet? why are they still on iis6?"

    Because they've got some very shoddy custom apps running that require not patching the servers at all, let alone changing anything to do with the webserver for fear the whole lot will suddenly and irreversibly die.

    Not that I speak from experience or anything...

  22. Anonymous Coward
    Stop

    Anonymous user.

    Well, in M$, most of the time Anonymous = Administrator because there is no proper rights management in M$.

  23. Nordrick Framelhammer

    @lennie

    The reason companies use IIS is because they have lazy CIOs managing lazy network admins who have to cater to lazy web "designers" who throw up .ASP crap using a crappy web "design" programme that craps out bloated code that will only work in a crappy browser that does not comply with accepted standards and that only runs on a crappy operating system created by a company with crappy business practices, crappy ethics, crappy programmers, and crappy quality control.

    Basically it is all a pile of shit.

  24. Anonymous Coward
    Anonymous Coward

    Applauds!

    > The enterprise has standardised on the wrong operating system. Windows is broken. It does not > work. Its costing billions in lost productivity and security headaches.

    Well said

  25. Anonymous Coward
    Anonymous Coward

    @Nordrick

    -----

    The reason companies use IIS is because they have lazy CIOs managing lazy network admins who have to cater to lazy web "designers" who throw up .ASP crap using a crappy web "design" programme that craps out bloated code that will only work in a crappy browser that does not comply with accepted standards and that only runs on a crappy operating system created by a company with crappy business practices, crappy ethics, crappy programmers, and crappy quality control.

    Basically it is all a pile of shit.

    -----

    So are you saying its crap then?..... or shit?

  26. Darryl

    @Maliciously Crafted Packet

    "Imagine a world without spam."

    So now OS-X is spam proof too? Is there anything that Steve can't do?

    Or did you mean Linux was spam proof?

  27. Tim Bates

    IIS vulnerabilties vs Apache vulnerabilities

    Anyone basing their choice between IIS and Apache on the number of vulnerabilities over a given time is silly and deluded.

    The Apache bug list is likely far greater, but only because they announce every tiny little exploitable issue regardless of how insanely unlikely it is to be exploited (like the ones that require existing user accounts on a specifically configured server with it's CD tray ejected half way)

  28. Mark

    Why use IIS?

    Perhaps they have stuff built with .Net? Large organisations tend to use it as they have things like WCF web services etc that are a fuck sight easier to build and deploy than poxy servlets. Perhaps they make use of sharepoint internally?

    @Nordick:

    "The reason companies use IIS is because they have lazy CIOs managing lazy network admins who have to cater to lazy web "designers" who throw up .ASP crap using a crappy web "design" programme that craps out bloated code that will only work in a crappy browser that does not comply with accepted standards and that only runs on a crappy operating system created by a company with crappy business practices, crappy ethics, crappy programmers, and crappy quality control."

    Bitter sir? A touch twisted also? Not likely to be employed by a large company that doesn't want dozens of different architectures laying around requiring maintenance all because the buzzword junky at the top fell for the latest fad or the developers want what they think is the bees knees (rails anyone?)? I think so. In the early part of this decade big companies were building on Java as MS had nothing. Now new projects get put together in C# etc because MS is on their desktops and it all works out that little bit easier for them. Java on the desktop? No thanks. Like it or not .Net is pretty bloody good considering it's parentage.

  29. Mark Aggleton

    @Mark

    Hear, hear.

    Anyway it's only a university - who gives a fuck.

  30. umacf24
    Dead Vulture

    Refuted?

    The MS statement looks like a denial to me. They're only synonyms in US english. A real refutation would be interesting, but a denial is just PR.

  31. Kevin Bailey

    @Mark

    '.Net is pretty bloody good considering it's parentage.'

    Have you actually used it? And used a decent PHP framework like Zend Framework.

    If you've used both in anger as I have I think you'll find that .NET is bloated, unmaintainable and non-portable.

  32. Anonymous Coward
    Anonymous Coward

    @AC 21:54

    Either that was a pisspoor troll, or you are seriously out of your depth.

    Just saying something doesn't make it true, you know?

  33. Martin Taylor

    @umacf24

    Thank God for someone who cares about the difference between "refute", and "deny".

  34. Sentient

    .NET vs PHP

    "Have you actually used it? And used a decent PHP framework like Zend Framework.

    If you've used both in anger as I have I think you'll find that .NET is bloated, unmaintainable and non-portable."

    Well I did. And I like them both.If I had to chose I'd choose .NET cause it's strongly typed. But that's just me. I am not arrogant enough to say that what works best for me works best for everybody.

    And I do marvel at certain PHP based applications like facebook and Drupal etc...

  35. Tom

    @re: I think the question

    Its not 'legacy software' that wont work - just about everything that talks to it would have to be upgraded. You cant just upgrade to II7, the security wont work properly (?) without updating the domain controllers and then you'll have to upgrade the databases and ...

    The cost in software licences alone would be worse than investing all the staff pensions in an Icelandic bank. Then youll have to upgrade the hardware to actually run the new versions and this would have be done in term time as paying punters will be having conferences out of term...

    "Microsoft said at the time it was unaware of any in-the-wild exploits of the vulnerability."

    that they havent categorically 'lah lah lah I cant hear you'-ed.

  36. Chewy

    @Kevin Bailey

    Obviously you have never used the .Net framework for any kind of serious development either. I've never met any developer who was an expert in both - I've heard people claim to be experts in both but that doesn't make it so.

    The .Net framework goes way beyond just web development so cannot be compared like-for-like with PHP. Don't get me wrong as I'm aware that Apache is better than IIS in its design, and that PHP blew ASP out the water.

    Does it really matter if .Net is platform neutral? As for being unmaintainable, well I've never had any trouble with sites that were well written.

  37. Lee
    Thumb Up

    .NET vs PHP - really?

    hmmm, I don't usually pipe up in these comment sections however it is a slow day and I am nursing a large hangover, so here we go...

    @Kevin - I really don't think you can compare .NET to PHP at all (for example how can I write a desktop app or windows service in PHP?). However I imagine you are just talking about web development. Even here the comparison doesn't hold up. As an example could you please post code in PHP to do some of the following;

    1. Select a certificate, negotiate with a WS-Secuirty compliant web service, authenticate and consume (even Java has a few standards problems here which require programmatic work arounds)

    2. Create an Active Directory Group and User

    3. Set filesystem permissions explicitly on a file (e.g. one that you allow users to upload)

    4. Programmatically Impersonate a specific user account on the server for accessing well secured resources

    By having acess to the full .NET framework, ASP.NET allows much more sophisticated applications to be implemented and deployed over HTTP (don't forget the intranet setting so important to the enterprise) that possible in PHP.

    Anyway, although the average Reg comments poster will no doubt disagree, I love .NET and find programming in it a pleasure.

    :)

  38. bygjohn

    @Darryl

    > So now OS-X is spam proof too? Is there anything that Steve can't do?

    > Or did you mean Linux was spam proof?

    I doubt MCP meant either.

    However, consider that most spam is currently sent via botnets of compromised Windows PCs, and how little would be left were they replaced by something less easy to compromise. Do you see it now?

  39. Anonymous Coward
    Stop

    Reality Check for Everyone

    Security = difficulty; almost by definition. A locked door is more difficult to use, even if you have the key.

    So for the majority of users, security is just something that gets in the way of using a computer; if Microsoft went out of business tomorrow, and all copies of Windows stopped working, then it would be quickly substituted by an operating system that was just as easy to use and just as insecure. Because that's what the market would demand. Apart from a small minority of nerds, people are more concerned about usability than security. "Everything runs as Administrator" would probably become "Everything runs as root" and the whole security industry would be back in the game of plugging holes in whatever was the most popular (and again, almost by definition) the most insecure operating system.

    Face facts: users, especially home users, don't want security if it gets in the way of doing things. If MS-DOS and Windows had never existed, and only secure operating systems had ever been developed, then we'd probably be living in a world where the only computers we saw were embedded devices and the ones in the workplace. Personal computing as we know it probably wouldn't exist.

    Don't blame Microsoft for selling what people want; if they didn't then somebody else would.

    Please don't respond to this with a "<insert operating system here> is much more secure than Windows, and would rule the World if Windows didn't exist" until you've thought seriously about how much effort you have to put in to make <insert operating system here> secure, and stay secure; and whether that level of effort is more or less than the majority Windows users are prepared to devote to security (i.e. fuck-all).

  40. Steve B

    Missing something?

    The site was exploited, but MS say it was not the vuln, therefore everything is alright.

    Is it me?

This topic is closed for new posts.

Other stories you might like