SANS says: IIS most vulnerable software
Results 1 to 8 of 8

Thread: SANS says: IIS most vulnerable software

  1. #1
    Member
    Join Date
    Feb 2002
    Posts
    84

    Lightbulb SANS says: IIS most vulnerable software on M$ list

    SANS an internet security institute publishes in his top twenty that IIS from M$ is one of the most vulnerable software packages on the M$ list. It is very sensitive for Denial of service attacks and sometimes can give very sensitive information to non authorized users. Next to IIS we see MSSQL, Windows login and Internet Explorer. In the unix top twenty of most vulnerable software it's BIND Domain Name System on number one, followed by RPC and Apache.

    Read the whole article at SANS website
    [shadow]OpenGL rules the game[/shadow]http://www.AntiOnline.com/sig.php?imageid=499

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Posts
    107
    lol nice 1 so man MSSQL was insecure from the start.... spetialy with Google.... & all the other searsh bots out there

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Yes but is it the product, poor administration or what? The identify where the weak points are but don't identify the "causes" that put those Applications into those weak situations.


    The fact that BIND and apache are still top would have me nervous as well since Apache represents the vast majority of websites and BIND is the #1 DNS server (last figure I remember was 97% of all DNS servers).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    cleanbash...you might want to read the rest of that article. it DOES NOT state that IIS is the most vulnerable software. indeed it is on the top of the list for M$ software, but if you look farther down on this article it also lists most vulnerable *nix software(you did mention the BIND and other issues???). as MsMittens mentioned, the fact that apache is on there should scare people more as it has the largest install base for webservers. it also has some of the same and even different exploits. IIS and Apache in their default configs are open to all sorts of nasty things, it takes an admin that knows their ****(or can read a lockdown checklist) to properly secure these apps. i for one have never had any of my IIS servers get compromised and i can assure you that you(depending on your age) have probably been to one of the sites that i manage.

    this article is a good read for those not "in the know", but you should not try to slant your post as IIS is the most vulnerable software. remember this...NO SOFTWARE IS WITHOUT FLAWS..it takes a knowledgable admin to properly secure their installations.
    just making some minor adjustments to your system....

  5. #5
    Member
    Join Date
    Feb 2002
    Posts
    84
    Thanks ol jeb I changed it a little bit. (I read the article but when I wrote this topic I forgot to mention that it was on top of the M$ list).
    [shadow]OpenGL rules the game[/shadow]http://www.AntiOnline.com/sig.php?imageid=499

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    Well, I'm impressed. I would have bet about SendMail being the most vulnerable *nix software. And it is only on 6th position.
    As Ol Jeb said, many of those software need a correct configuration to be secure. I'm still surprised to view that some apps like Appache are so insecure by default, while some simple changes in default options could arise the level.
    Life is boring. Play NetHack... --more--

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I don't know if it's Apache per say:

    In addition to exploits in Apaches core and modules (CA-2002-27, CA-2002-17), SQL, databases, CGI, PHP vulnerabilities are all potentially exposed through the web server.
    I wonder if it's the modules and other 3rd party add-ons that open it up to attacks. Certainly poor and insecure items like MySQL, Perl and PHP would open Apache to being vulnerable. A good example is when I went searching for information on the publisher of a book and found Google referencing a german MP3 site. Curious as I was, I went to check it and found a php page that had a data entry box with a button labelled "run command". So I did an ls -l and lo' and behold got directory. I even did a cat /etc/shadow and eventually did a write to root to tell them either the user had poor directory permissions or someone compromised their server.

    Look at the dates of the CVE. There were only 4 for Apache for 2003 and 2 for 2002. But a whack of them appeared in 1999. All of the "top 10" are culmulative rather than indicative of time. Products do change and developers do learn from their past.

    Heck, for BIND there isn't a single vulnerability for 2003 in the CVE. And yet, it's number 1. Why?

    Chief among them are administrators who are not aware of security upgrades, systems which are running BIND daemon (called "named") unnecessarily, and bad configuration files.
    Strikes me as this may not be an entirely accurate top 10.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Heck, for BIND there isn't a single vulnerability for 2003 in the CVE. And yet, it's number 1. Why?
    Chief among them are administrators who are not aware of security upgrades, systems which are running BIND daemon (called "named") unnecessarily, and bad configuration files.
    I know what you mean MsMittens but maybe there's a lot of old versions being run out there. If they dont keep up with the patches they'll be running these older versions which have vulnerabilities. Dunno.

    Interesting study I found here http://www.menandmice.com/dnsplace/h...y.html?DHS0800 talks about all the misconfigured DNS domains. I realize that probably not related but interesting non-the-less.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •