Jun, 2001 : Microsoft Security Breach Open Door for Some Hackers
📅 - According to security experts, systems administrators should not hesitate in applying the patch to the latest security hole in Microsoft's Web server software.
On Monday, Microsoft announced that there was a flaw in the indexing element of its Web server software, the Internet Information Service. The breach could compromise the security of up to 6 million Internet sites, said the company. But at the same time, Microsoft released a patch for the flaw, advising strongly that Web server administrators immediately apply it.
And while a program designed to exploit the flaw has not yet appeared publicly, security experts say that at least one hacker organization has developed a tool of this kind. Experts say the hackers want to keep the software to themselves.
Affecting all versions of IIS running under Windows NT, Windows 2000 and a limited release beta version of Windows XP, the flaw could allow a hacker to gain total control of a server.
And while a program designed to exploit a hole of this kind is usually posted to major security mailing lists shortly after the announcement, forcing administrators to patch their systems or be left defenseless, no such program has appeared yet.
And experts say that the lack of a publicized program may cause system administrators to feel safer, and take their time in applying the patch. But hacking goups may prefer this lack of disclosure, as it can afford them more opportunity to exploit the unprotected systems.
While hackers may not appreciate the heightened awareness that this kind of disclosure brings to security flaws, there is a debate over the notion of this full disclosure. Many feel that all available information regarding a security flaw should be made public. Others think that only the information relevant to fixing it should be disclosed.
Microsoft believes that waiting until the patch has been written to release the information about the breach gives administrators a jump on the hackers. Experts say this practice gives administrators a chance to patch their systems before hackers figure out how to exploit the flaw.
But security specialists warn that these windows of opportunity can quickly close, and in this case, may have already.
On Monday, Microsoft announced that there was a flaw in the indexing element of its Web server software, the Internet Information Service. The breach could compromise the security of up to 6 million Internet sites, said the company. But at the same time, Microsoft released a patch for the flaw, advising strongly that Web server administrators immediately apply it.
And while a program designed to exploit the flaw has not yet appeared publicly, security experts say that at least one hacker organization has developed a tool of this kind. Experts say the hackers want to keep the software to themselves.
Affecting all versions of IIS running under Windows NT, Windows 2000 and a limited release beta version of Windows XP, the flaw could allow a hacker to gain total control of a server.
And while a program designed to exploit a hole of this kind is usually posted to major security mailing lists shortly after the announcement, forcing administrators to patch their systems or be left defenseless, no such program has appeared yet.
And experts say that the lack of a publicized program may cause system administrators to feel safer, and take their time in applying the patch. But hacking goups may prefer this lack of disclosure, as it can afford them more opportunity to exploit the unprotected systems.
While hackers may not appreciate the heightened awareness that this kind of disclosure brings to security flaws, there is a debate over the notion of this full disclosure. Many feel that all available information regarding a security flaw should be made public. Others think that only the information relevant to fixing it should be disclosed.
Microsoft believes that waiting until the patch has been written to release the information about the breach gives administrators a jump on the hackers. Experts say this practice gives administrators a chance to patch their systems before hackers figure out how to exploit the flaw.
But security specialists warn that these windows of opportunity can quickly close, and in this case, may have already.
Reads: 1578 | Category: General | Source: TheWHIR : Web Host Industry Reviews
URL source: http://www.thewhir.com/marketwatch/microsoft622.cfm
Want to add a website news or press release ? Just do it, it's free! Use add web hosting news!