Security 10808 Published by

It's been a heck of a week for security vulnerabilities. The most attention, deservedly so, went to another buffer overflow in Microsoft's IIS Web server, but there were many more.

The IIS hole was unusual in that, unlike most vulnerabilities, it appears to have been exploited before it was discovered and patched. Even worse, it was the U.S. Army's Web server that was attacked. Microsoft put out a patch in relative hurry and there are several workarounds that should block the exploit. However, they come at the expense of functionality in IIS support for WebDAV, which allows file I/O-style access to web sites. This is one of those problems for which administrators should drop everything and deal.

After reports of server crashes introduced with the patch Microsoft modified the security advisory for this problem to warn that certain specific versions of Windows 2000 were incompatible with the patch and that it would cause these systems to blue-screen. Security patches from Microsoft are usually issued before there are any real-world exploits, and Microsoft puts them through extensive testing. No such luck in this case, and they had to write and issue the patch post-haste. This is what happens when you're in a hurry.

And it didn't end there.

Read more