Well, if Halloween didn't spook you, there was plenty of IIS news to keep you on your toes. Fresh off the new vulnerability that rain.forest.puppy released, here comes a flood of new problems. Be sure to take note of three new vulnerabilities just in the past week, not to mention the big hit Microsoft itself took.
In my April 11 Commentary, I shared some of the exploit pages that I keep up with. Since that column appeared, new sites have emerged, and I figure it's time to update the list. I've also heard from subscribers to this UPDATE about sites they like. Here's an updated site list.
First, bookmark the official Microsoft Security Site. All the patches come from this site. I make a practice of keeping hotfixes and service packs up-to-date on a server share at my shop and routinely burn a CD-ROM with them. Sometimes, a network share just isn't accessible when you need it. Don't forget that you can expand hotfixes and service packs with the /x switch. (I usually expand the hotfixes before storing them, which lets me keep up with what's being installed and in what version.)
I also believe that it's prudent to see what other security sites are reporting. For the most part, Microsoft encourages vulnerability hunters to jointly release bulletins with patches to avoid announcing a vulnerability ahead of the patch. Such was the case last week when Georgi Guninski announced a new vulnerability with cross-site scripting and Microsoft Index Server. Guninski took issue with Microsoft's response time to a vulnerability; he informed Microsoft, then announced it anyway, which stirred a debate about the value of early disclosure.
Whatever your belief about early disclosure, I recommend that you bookmark a few of these sites. Some of the sites I visit regularly that are worthy of book marking include the following:
- http://www.securiteam.com — This Web site is a good headline news-style site for vulnerabilities. The site even has a Windows NT-specific list of security information and is updated daily.
- http://www.hackernews.com — This Web site reports the high-profile activities of Web site defacements, even providing a link to attrition's list of defaced sites. The site also tackles news stories that relate to hacking.
- http://www.ntsecurity.net — This is the security site associated with Windows 2000 Magazine, and it is updated daily. Although Windows platforms are the focus, this site isn't limited to Windows topics.
These are the more active sites that cover Microsoft and other vulnerabilities. Other sites come along, and I'm sure you have some favorites, too. Feel free to pass them my way, and I might mention them in a future column.
One last note: Some hacker Web sites can contain material that some folks deem inappropriate or offensive. Be sure to check your office policy for viewing such sites. None of the sites mentioned in this column contains such material.