RealTime IT News

Microsoft IIS Patch, Round Two

Microsoft released Wednesday its latest security patch affecting bug-prone Internet Information Server's active server pages (ASP) function.

This is the second, all-encompassing IIS patch for the software giant, a company that's come under heat for repeated security breaches in its operating systems, Internet browser and IIS applications over the years.

The 10 vulnerabilities, found by Microsoft technicians, eEye Digital Security, Entrust Technologies, @Stake and several private individuals, run the gamut of the hacker's handbook. Four are considered "critical" vulnerabilities that demand immediate fixes, the bulletin states.

From buffer overrun bugs to denial of service vulnerabilities, the widespread patch repairs breaches that can be found in IIS 4.0, IIS 5.0 and IIS 5.1. According to Microsoft officials, beta versions of its .Net Server (build 3605) software, using IIS 6.0, already have the fixes in place, and warned against companies using the product on their intranets.

"By definition, beta products are incomplete, they're intended for evaluation purposes and shouldn't be used in production systems," the bulletin reported.

ASP is an oft-maligned technology many developers consider the main reason for Microsoft's software security woes. Unfortunately for Microsoft and its many customers, it's the linchpin behind the company's Internet/Intranet and Web services, allowing Web servers to dynamically generate Web applications.

Some, however, believe it unfair to single Microsoft out for the current security issues. Last October, research firm Meta Group found it was partly the responsibility of systems administrators to keep up to date with patches before hackers find the affected systems.

The patch can be found here.