[thelist] closed source securtiy was: DB Security

Ryan Finley RyanF at SonicFoundry.com
Thu May 3 16:58:41 CDT 2001


<<
No its not. How many 'hackers' are beting on it every day exactly? How
is the 'beating' making the webserver more secure? Is it really making
it more secure? Very secure??
>>

My main contention is that Microsoft products CAN be secure.  I'd wager a
bet that almost ALL of the hacks on IIS are because a wannabe admin didn't
apply a patch that came out 2 years ago!

A month or so ago, someone on this list mentioned a security problem with
IIS...the infamous .HTR extension bug.  That thing was patched a LOONNNG
time ago.

<<
The whole closed vs. open source arguement could go here, and if you
wanna rap about it, I'm cool :)
>>

Uh, no... :)

<<
MS and Apache release a new version of their web serving software the
same day, to much fanfare. One week later, a buffer overflow is found in
each piece of software. Now, which software would you rather be running?
Apache, where the moment someone hears about the hole they're working on
a fix because they can see the code, or you yourself could get under the
hood, fix, recompile and be expliot free all in under 10 minutes? Or
would you rather be running IIS where the hole is known(as this one was)
but since the source code isn't readily available you need to wait on MS
to acknowledge, fix, test, and deploy the fix on *THEIR* time?

Eeye informed MS about this two weeks ago, and thats how long it took
for them to roll a patch. You do the math...
>>

Most people running IIS can't even INSTALL Apache, let alone get down into
the code of a webserver to fix a buffer overflow...

But damn, I'm coming across as a Microsoft apologist...I use IIS and ASP
simply because of inertia.  I'd rather get my ideas going, rather then spend
my time spinning my wheels learnin' a new technology.

	Ryan




More information about the thelist mailing list