Fog Creek Software
Discussion Board




Dennis Forbes' new IIS hole?

A few days ago Dennis Forbes described strange behavior of his IIS install that was apparently from a virus or outright hack.  Nobody seemed to have any information about it then.  Saw this article today that gives a little bit more information:

http://www.msnbc.msn.com/id/5290386/

Herbert Sitz
Thursday, June 24, 2004

I hope my banks are safe.

hoser
Thursday, June 24, 2004

A more detailed article from news.news.news.com.com.com:

http://tinyurl.com/389x3

It sure does sound like Dennis' IIS hole.

Nate Silva
Friday, June 25, 2004

The full URL, for those who don't trust TinyURL:

http://news.com.com/Corporate+Web+servers+infecting+visitors%27+PCs/2100-7349_3-5247187.html?tag=nefd.top

"This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks."

Nate Silva
Friday, June 25, 2004

If http://www.microsoft.com/security/incident/download_ject.mspx is to be believed, this is caused by unpatched IIS boxs.

Now, I'm more of a Microsoft apologist than most, but seriously, if you're going to run IIS you HAVE to stay on top of the patches. To do otherwise borders on the criminal in my opinion.

Matt T.
Friday, June 25, 2004

Well, I feel better now knowing that MS04-011 is to blame ... if there had been a new IIS-specific hole that I (and MS) wasn't aware of, that nightmare scenario I'd been looking for would've been a short time coming.

Greg Hurlman
Friday, June 25, 2004

Let me clarify that it wasn't my box that was compromised, and I wasn't being facetious when I claimed that it was a friend's (in fact it has been very frustrating because many of things that I would have checked I have been unable to - logs, ownerships and creation times of files, patch states, etc). It sounds that it is specifically a SSL exploit, apparently patched by the above mentioned fix. Note that in my other message I indicated that there are reports that Microsoft has had servers compromised.

On the flip side, this installs Javascript that exploits a UNpatched hole in IE, so anyone browsing around, including to trusted sites (if the above is to believe - Microsoft.com for instance) is basically being owner. If indeed this should have been patched on the IIS side, it doesn't fix te fact that the IE side is completely vulnerable.

Dennis Forbes
Friday, June 25, 2004

"If http://www.microsoft.com/security/incident/download_ject.mspx is to be believed, this is caused by unpatched IIS boxs."

Wouldn't it be ironic if going to their site to read about the virus, actually infects your computer with the virus.

Mr O
Friday, June 25, 2004

"Wouldn't it be ironic if going to their site to read about the virus, actually infects your computer with the virus."

Turn off JavaScript or use a better browser than IE.  Mozilla, Firefox and Opera all qualify.

5v3n
Friday, June 25, 2004

*  Recent Topics

*  Fog Creek Home