Posted on 06/25/2004 1:53:54 PM PDT by familyop
IIS 5 Web Server Compromises
added June 24
US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.
Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.
This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.
Agreed, but only if those processes are kept in confidence until the vendor or original author has a chance to release a tested patch. These supposed "white hats" in Europe and China who release newfound vulnerabilities and corresponding exploit code in open source form before patches are available should be treated as hackers who actually utilized the exploit. Not much difference really, if someone released the US nuclear codes I guarantee you we'd be looking for that person, it's a release of priveledged information either way.
"These supposed "white hats" in Europe and China who release newfound vulnerabilities and corresponding exploit code in open source form before patches are available should be treated as hackers who actually utilized the exploit."
Ah, so they're the bad guys! I was clueless on that phrase.
Yes, MS should employ more people and/or seek volunteers to try exploits for the sake of software security (with agreements to keep secrets, of course). If MS is already doing so (probably is), it should do so with more frequency and intensity. As far as I know, that and having thousands of users and developers doing so is the major edge that some open source systems currently have. MS might try a reward system if it can't pay them full time or get enough trustworthy volunteers.
GE, though, uses the terms interchangeably to mean whatever it is he wants it to mean at the time. He's pretty good at confusing non-tech people because he throws all these terms out in order to overload the reader with jargon.
Don't pay much attention to him. Most people on the tech forums treat him as the class clown.
In order to explain what he was talking about, I'll add that the people who do release code and exploit information, usually do so after the vendor has ignored them for a certain amount of time (days or weeks, sometimes). They release their information to the public for two reasons: to make the public aware they are not running a secure system, and to force the vendor's hand to actually fix the vulnerability. The reasoning behind this is that if they discovered this vulnerability, it's a virtual certainty that other people with not-so-good intentions have also found it and are trying to use it.
True, sometimes, the hacker may release the exploit without giving the vendor time to react, but those instances are rare. They are getting more common as MS is building a nice little reputation of just sitting on the information without doing anything about it.
One of the strengths of Free and Open Source Software (FOSS) is that software vendors want people to examine and test their code so that they may fix whatever vulnerabilities are in there. Hence, most FOSS exploits are fixed and patches are released literally hours after an exploit is found.
As a result of this, many Linux and FOSS exploits are reported on various web sites, giving the impression that FOSS is much more buggy that Windows and other CSS (Closed Source Software). The reality is that most (if not all) of those reported bugs are already fixed by the time you read about them.
If the sysadmin has his systems working properly, they can even patch themselves before he arrives the next morning--without rebooting the entire machine.
As you can see, guys like "shadowace" and "shadowman" don't like it when I start talking about security and/or property rights, and immediately resort to personal insults as you so clearly just witnessed. You're free to believe whoever you like of course, but I've been doing this work for over 20 years and currently pull a six figure salary based on my expertise. I'm white hat through and through, but keep your eyes out for black hatters. They're everywhere, and their specialty is bluring the lines between the two.
I don't mind at all when you start talking about security. But you really need to explain the whole situation--not just those parts that suit your current needs.
And you need to quit calling names when someone doesn't agree with your philosophy. I'm no clown when it comes to these subjects, bub, as your countless string of decimated posts has shown.
Not according to professional analysis that's on record. If you'll follow the link ScuzzyTerminator tried to hide in the parent article, you'd see the report from Forrester Research showing Microsoft leads the industry in that regard.
One of the strengths of Free and Open Source Software (FOSS) is that software vendors want people to examine and test their code so that they may fix whatever vulnerabilities are in there.
But so far there's no proof anyone but bad guys are looking at it. The US government even tried to put up a website so the claimed white hatters could post security problems found in the open source. Thing is, nobody did.
Actually here's ScuzzyTerminator's thread, you guys push so much bull around here it's hard to keep up.
http://www.freerepublic.com/focus/f-news/1159038/posts
I did not call you a clown. Nor did I use any other names.
See I didn't directly call you one either.
About firefox0.9, my wife has been unable to open a game page using this browser, any idea why that might be?
Sounds like Firefox, if other browsers open it fine. I'd recommend IE or Opera, closed source options.
What's the URL? Perhaps I can assist.
Closed source options?
MS IE
Opera
Possibly Netscape, if it's market hasn't already been stolen by one of the duplicate open source clones.
See, this is why people don't take you seriously. If you would discuss the issues without assigning motive to how an article is posted, perhaps you would get a better response.
I see no evidence of him "trying to hide" anything. The link is there for all who care to follow it. Your problem is that unless a person is as fanatical as you are, then they are "zealots" who troll against the US economy.
Believe it or not, most readers of these threads can spot idiots without said idiocy being overtly pointed out at every turn. Try actually discussing issues on technical merits rather than emotional ones, and you may start to gain some respect.
BTW--agreement != respect. Respect can exist without agreement on every issue.
There is a problem with it, blurs into another one just like you like to blur white hat and black hat.
Your problem is that unless a person is as fanatical as you are, then they are "zealots" who troll against the US economy.
This conversation was fine, going quite well as a matter of fact until you entered the discussion and starting throwing names like "class clown" in your very first post. Go back and see for yourself, everyone else already does.
"He's pretty good at confusing non-tech people because he throws all these terms out in order to overload the reader with jargon."
That's funny. I haven't seen those phrases on the most technical of OS fora at all. ...thought it might be MS or Mac terminology. Are the new Euro-Linux hordes using spacey descriptions like that now?
"These supposed "white hats" in Europe and China who release newfound vulnerabilities and corresponding exploit code in open source form before patches are available should be treated as hackers."
Okay, so they're bad guys.
"I'm white hat through and through, but keep your eyes out for black hatters."
Oh! So they're good guys! I'm confused.
Okay...not really. I get it now. It's funny, though. We who spend time learning about non-SysV UNIX systems don't keep up with the language of lawyers and marketing management babes much. We don't even read People Magazine.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.