Re: IIS 6 vunerability - has MSFT fixed this yet?
- From: David Wang <w3.4you@xxxxxxxxx>
- Date: Sun, 31 May 2009 13:46:25 -0700 (PDT)
Are you saying that your security team scanned multiple IIS6 servers
you manage, but only one of them came up with this warning?
I believe it indicates a misconfiguration of that server relative to
your other IIS6 servers.
Microsoft takes every security vulnerability report seriously and
immediately determines its true impact. Some people believe that all
vulnerabilitiies must be reported and closed, regardless of cost, but
that is not realistic.
Every vulnerability has a risk/cost assessment. If a vulnerability is
truly important, it would be patched immediately.
For example, people report lots of "vulnerabilities" in IIS which
require special code on and/or configuration of IIS to exploit. Yes,
the exploit may be real, but how realistic is the special code and/or
configuration? Those are factors that weigh into the immediacy and
necessity of a security patch.
Thus, if the issue is patched and you patched all IIS6 servers the
same way, then getting a warning about one of them makes me suspicious
of the security scanner.
If the issue has no patch and one of the servers is deemed
"vulnerable", then it suggests that the server has special user code/
configuration which makes it vulnerable. You should look at your code/
configuration of it.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On May 28, 1:13 pm, "James" <j DOT w AT zoom DOT co DOT uk> wrote:
Hi Paul,
Thanks so much for your reply, and help. I also tried to reproduce it and
did not receive any delay in my response. I find it hard to beleive that
this is still a problem after such a long period of time.
If anyone else has any insights on this it would be appreciated.
Thanks again Paul!!
James
"Paul Baker [MVP, Windows Desktop Experience]"<paulrichardba...@xxxxxxxxxxxxxxxxx> wrote in message
news:uyYB6383JHA.3860@xxxxxxxxxxxxxxxxxxxxxxx
I don't know anything about this, I just googled it.
I see that it is from May 2007:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2897
It is still under review. That seems like a long time to review it! The
steps given are simple and just need to be run against an IIS 6 server.
I cannot reproduce a two second delay on an IIS server here (not sure
which version) when I type http://<blah>/AUX/.aspx into the Internet
Explorer 7 address bar.
According to this page, there is no remedy as of May 23, 2009.
http://xforce.iss.net/xforce/xfdb/34418
But is it really a problem? Who knows!
Paul
"James" <j DOT w AT zoom DOT co DOT uk> wrote in message
news:u9Bsrq73JHA.1416@xxxxxxxxxxxxxxxxxxxxxxx
Hi All,
I received an inquiry by our security team today saying that a standard
scan
of our servers reported that one of our IIS servers (that is running IIS
6)
triggered a warning of a potential vunerability: CVE-2007-2897.
The text we were given for the vunerability was:
---
"Microsoft Internet Information Server (IIS) is an industry-standard Web
server for the Windows platform.
Microsoft Internet Information Services contains a vulnerability that may
allow for remote denial-of-service attacks. A specially crafted
request sent to the server may render it unresponsive."
---
This CVE appears to have originated in 2007, our servers are fully
patched.
Can anyone confirm if this vunerability has been taken care of, and if
so,
in what update / patch from MS?
Thanks in advance!
James- Hide quoted text -
- Show quoted text -
.
- Prev by Date: Re: w3svc event ID 1010 blocks all IP related services at server
- Next by Date: Idle Timeout in AppPool performance tab not working
- Previous by thread: Re: w3svc event ID 1010 blocks all IP related services at server
- Next by thread: Idle Timeout in AppPool performance tab not working
- Index(es):
Relevant Pages
|
