back to article Hands up who DIDN'T exploit this years-old flaw to ransack a US govt web server...

Multiple criminals, including at least potentially one nation-state group, broke into a US federal government agency's Microsoft Internet Information Services web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution. The snafu happened between November 2022 and early January, according to …

  1. elDog

    And just when I thought replacing all my Adobe Flash controls with Telerik

    Who would of thought that a simple add-on control to the Microsoft stack could cause so many problems?

    1. Pascal Monett Silver badge

      Re: And just when I thought replacing all my Adobe Flash controls with Telerik

      Who could possibly think that it wouldn't cause problems ?

      1. Claptrap314 Silver badge

        Re: And just when I thought replacing all my Adobe Flash controls with Telerik

        I'm assuming op missed the troll icon...

  2. Groo The Wanderer Bronze badge

    No sympathy for organizations that don't patch their servers. If you're running obsolete software, you're just begging to be attacked and infiltrated.

    1. Ozan

      That's not a day old patch also. Why took so long to patch it?

      1. Curious

        If the customer's IT doesn't have their own Telerik annual developer subscription for a few hundred per year then they won't have access to Telerik component updates. And IT may lack the knowledge and build scripts to update, run test scripts and deploy themselves, if the development work was outsourced.

        How many business .Net apps will never get updated from .net framework 3.5? We were quoted 40 grand to bring a fairly straightforward internal small business azure hosed application from .net core 4 LTS to .net 6 LTS. No feature changes.

        1. Anonymous Coward
          Anonymous Coward

          Not sure how I feel about the statement: " And IT may lack the knowledge and build scripts to update, run test scripts and deploy themselves, if the development work was outsourced."

          I'd be inclined to call that a failure on management's part, not the guys in IT. Most IT guys would jump at the chance to learn something new and apply it. Then there is the point that if your IT dept isn't trained or don't have the bandwidth or skills, why aren't management employing someone to fill that gap? Again, the finger points back at management.

          Add into that your comment "If the customer's IT doesn't have their own Telerik annual developer subscription for a few hundred per year then they won't have access to Telerik component updates." - I'd ask why not? The business surely should have the necessary licences in place to support the tools they are using to do business? If it's outsourced (sigh), then wouldn't such requirements be included in the support contract?

          Security is hard at the best of times. We're almost always on the back-foot. But management STILL seem to treat security as an unnecessary expense, right up to the point they get caught out and are facing fines. Until such times as the penalties outweigh the cost of prevention, I don't ever see this changing.

    2. Mike 137 Silver badge

      "No sympathy for organizations that don't patch their servers"

      No sympathy either for devs that refuse to validate externally input data adequately. They're the ones that actually cause the problem.

      1. Michael Wojcik Silver badge

        I take the force of your argument, but validating serialized object data is rather more complicated than validating tainted inputs for things like SQL injection.1 Typically with third-party components (or even components developed within the organization by another team) those are just presented to the application developers as opaque blobs. A pen tester, or someone who follows secure-development practices, will often recognize a serialized object (for the languages they're used to working in) and raise a flag, but when a manager says "here, use this component we bought", catching marshalled [sic] pickles can be difficult.

        1Of course no application should ever be vulnerable to SQL injection in the first place, because it shouldn't be constructing ad hoc queries but using parameterized statements, stored procedures, or the like. The same goes for command injection, format-string attacks, XSS, and most of the other tainted-data issues. But that doesn't mean input sanitization isn't still a good idea.

  3. Al fazed
    WTF?

    Who needs

    mandated backdoors when we already have access routes a plenty created by our own favourite cheese makers ?

    ALF

    1. Michael Wojcik Silver badge

      Re: Who needs

      Is Progress Software on your favorites list? This wasn't a Microsoft bug (for once). Not that it matters much.

  4. Anonymous Coward Silver badge
    Linux

    > "broke into a US federal government agency's Microsoft Internet Information Services web server"

    Why the duck would any organisation be using IIS (especially on a public facing site)? It's a massive pain and full of holes. Apache, nginx, lighttpd, etc are much more suited to the role.

    1. Captain Scarlet Silver badge
      Coat

      Yes but anyone can poorly configure a web server or run software with holes, especially me (I failed to patch Apache in one instance, another a PHP script e107 had a vulnerable file which was updated by the dev but was left on the web server).

    2. Sandtitz Silver badge
      Stop

      "Why the duck would any organisation be using IIS (especially on a public facing site)?"

      ...because the application vendor only supports IIS? ...it come with Windows and is easy to setup?

      "It's a massive pain"

      Pain?

      "and full of holes. Apache, nginx, lighttpd, etc are much more suited to the role."

      All of those products have had multiple security vulnerabilities last year. and some of them have had vulns this year as well.

      I think IIS isn't any worse on the hole aspect, but feel free to correct me with some statistics.

      1. Michael Wojcik Silver badge

        Some statistics, courtesy of NVD searches. IIS: 178 CVEs. Apache httpd: 289 CVEs. nginx: 39 CVEs.

        So Apache httpd does indeed have quite a lot more published vulnerabilities, but nginx has much fewer. On the other hand, Apache is much more widely used (40% versus 11% for IIS), so we can expect more attention paid to it. On the other other hand, nginx has a bigger market share than IIS too, and while nginx is a much newer and less stovepiped code base than Apache httpd and has a lot fewer features, it's not at all clear that it really has only 13% as many flaws as Apache.

        In short, statistics like these are meaningless. And what's likely far more important in practice is how likely an organization is to configure the server properly, and many components factor into that.

  5. Anonymous Coward
    Anonymous Coward

    Is this Telerik-rolling?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like