Microsoft released Wednesday its latest
security patch affecting bug-prone Internet Information Server’s active
server pages (ASP) function.
This is the second,
all-encompassing IIS patch for the software giant, a company that’s come
under heat for repeated security breaches in its operating
systems, Internet
browser and IIS
applications over the years.
The 10 vulnerabilities, found by Microsoft technicians, eEye Digital
Security, Entrust Technologies, @Stake and several private individuals, run
the gamut of the hacker’s handbook. Four are considered “critical”
vulnerabilities that demand immediate fixes, the bulletin states.
From buffer overrun bugs to denial of service vulnerabilities, the
widespread patch repairs breaches that can be found in IIS 4.0, IIS 5.0 and
IIS 5.1. According to Microsoft officials, beta versions of its .Net
Server (build 3605) software, using IIS 6.0, already have the fixes in
place, and warned against companies using the product on their intranets.
“By definition, beta products are incomplete, they’re intended for
evaluation purposes and shouldn’t be used in production systems,” the
bulletin reported.
ASP is an oft-maligned technology many developers consider the main reason
for Microsoft’s software security woes. Unfortunately for Microsoft and
its many customers, it’s the linchpin behind the company’s
Internet/Intranet and Web services, allowing Web servers to dynamically
generate Web applications.
Some, however, believe it unfair to single Microsoft out for the current
security issues. Last October, research firm Meta Group found
it was partly the responsibility of systems administrators to keep up to
date with patches before hackers find the affected systems.
The patch can be found here.