[thelist] [OT] Web Server Worm Infects 12,000 Web Servers

[Judah McAuley]

At 12:05 PM 7/19/2001 -0700, Anthony wrote:

>You are correct in saying that security should be important to the admin. 
>However, if you regularly visit the appropriate MS Page for NT Critical 
>updates this patch is not listed on the page.
>
>http://www.microsoft.com/ntserver/nts/downloads/default.asp
>
>In fact this page has not been updated since May. ;-(
>
>Not that this is the only route to the critical update information - it 
>still sucks that it's behind and out of date.

I would certainly agree with you that Microsoft's security updates are 
generally lacking.  In this case, however, the file was listed as a 
critical update for W2K and not for NT 4 because it only effects the Index 
Server on NT 4 (not installed by default) but effects the Index Service 
under W2K (installed by default).  Therefore I guess they deemed it 
critical for 2K, but not for NT because NT users would have to manually 
install it from the Option Pack.

That being said, the vulnerability should have come up because admins 
should remove any script mappings that they don't use (like .ida (Internet 
Data Administration) and .idq (Internet Data Query) ).  In the same manner, 
how many people use Web-based access to printers through IIS?  Anyone who 
doesn't should remove the mapping.  That way they wouldn't have been 
vulnerable when that .dll was exploited.  Of course, in that particular 
case, Windows reinstalls the mapping without telling you.

As much as I rag on Admins for not keeping up with fixes and being 
proactive about removing things they don't use, I must admit that the 
fundamental problem is that Microsoft doesn't give a rat's ass about 
securing coding practices.  Hackers have tools for scanning dll's for 
buffer overrun conditions, why doesn't Microsoft use them *before* they 
ship a product?  The answer:  security isn't cost effective for them 
yet.  And that pisses me off to no end.  And I still have to use their 
products.

*sigh*

Judah