Hot on the heels of the Code Red virus, and still reeling from its effects, Microsoft has released an all-encompassing patch for its IIS servers that will fix five different vulnerabilities that have recently been discovered in addition to including the patches that to date have been released for IIS 4.0 since Windows NT 4.0 Service Pack 5.
IIS has had an inordinate amount of security flaws. The new cumulative patch has left system administrators wondering about the overall security measures Microsoft uses before a product has been released for the publics use. The growing list of security flaws is a signal that the technology is far from being functional right out of the box. Microsoft has been criticized for not only the security flaw that Code Red exploited but also for not acting fast enough in fixing it, thereby allowing the virus to quickly spread.
In addition to the Code Red DoS vulnerability, the newest patch also fixes a flaw in the WebDAV feature of IIS 5.0, a flaw in the way 5.0 interprets content with an invalid MIME header, a buffer overrun vulnerability involving the code that performs server-side include directives and a privilege elevation vulnerability in 5.0’s table processing. The new patch also fixes a side effect of the previously released IIS cumulative patch.
Microsoft has admitted that the vulnerabilities of IIS have been extensive, and this is a problem for a large number of companies that rely heavily on IIS for their Web serving. Despite the companies efforts to get the patches out to the public, there are numerous problems with the “patch and go” approach. First and foremost, users have to know about the patch and actually install it. Second, by consistently drawing attention to all the security flaws, the company is letting other malicious hackers know that their systems are potentially vulnerable and almost inviting them to look for new ways to corrupt the systems.
And perhaps the most detrimental effect is an increasing number of security flaw fixes on a specific piece of software inevitably will begin to erode user confidence and cause people to ferret out other options, such as an operating system with less of a track record of security issues. According to the Computer Emergency Response Team Coordination Center, almost half of their security alerts for the past year have involved Microsoft technologies. And while Microsoft certainly dominates markets and is high-profile, that strategy almost backfires as they draw attention to themselves and in particular, their security breaches. However, it should be noted that IIS is not the only software experiencing a glut of security problems. According to one network engineer, FreeBSD has received 79 security updates already this year.