|
Microsoft Internet Information Server
Staff
On July 14, eEye
Microsoft Internet Information Server
Staff
On July 14, eEye released an advisory
Microsoft Internet Information Server
Staff
On July 14, eEye
Microsoft Internet Information Server
Staff
On July 14, eEye released an advisory and exploit for Microsoft Internet Information Server. eEye, which is a company developing a security auditing tool similar to ISS´ core product, released the exploit to the public through the computer security mailing list Bugtraq.
The exploit affects 90% of the Windows NT Web servers on the Internet today, or approximately 1 million machines.
The exploit was basically a buffer overflow. On the completion of the buffer overflow, a trojan would be uploaded to the IIS server, allowing a hacker or cracker to run any code on the server.
OSAll spoke with the author of the exploit, who said the coding of the exploit was " not too difficult." He went on to say " anyone with a running knowledge of assembler and with a little background on buffer overflows can accomplish the feat."
Microsoft moved relatively quickly to issue an advisory of their own about the situation, including a simple workaround. They said a patch was in the works. eEye, however, released a patch before Microsoft.
Interestingly, no Web site defacements have been reported using the IIS exploit. Some, however, have predicted that this is the calm before the storm.
OSAll has an article about Microsoft Security, closely related to this topic, which was written the same day eEye issued its advisory. |
