Do you run IIS? If so, you need to know that Microsoft has issued security bulletin MS01-033 about yet another nasty hole in the IIS-based Index Server 2.0 on Windows NT 4.0 and the Indexing Service on Windows 2000 and beta versions of Windows XP. eEye Digital Security discovered the problem, which can let an intruder access the server under the security context of the built-in system account. The problem stems from an unchecked buffer in an Internet Server API (ISAPI) filter used during the course of processing .ida files, which are related to the Index Server and Indexing Service.

I point out this newly discovered problem because this is the fourth time in 2 years that eEye Digital Security has discovered an exploit against IIS that can grant an intruder system-level access. If hackers can find such dangerous holes in IIS, why can't Microsoft find them before the code rolls out to millions of Web servers around the planet? Each time such a hole surfaces, countless systems become easy prey because administrators don't apply security fixes fast enough. We can blame administrators and less-than-thorough administration, but it's Microsoft's fault that the holes exist to begin with.

Some time ago, Microsoft said it was placing more focus on the security of its products, and the added effort shows. But even so, the company's efforts obviously aren't enough. When confronted with the number of security problems in its products, Microsoft shifts the blame to the volume of code in Windows platforms and related products. The company says that with millions of lines of code, finding every potential security risk before a product ships is impossible. But hackers don't seem to find many barriers to vulnerability discovery regardless of how big Microsoft's code becomes. Microsoft needs to follow its own recent advice and introduce a higher level of best practices into its organization.

I admit that excellent hackers are a tough act to follow, but given the resources available to Microsoft, I fail to understand why the company doesn't do a better job of debugging its code before releasing it into production. You've heard the adage, "Haste makes waste." In the case of security-related bugs, any haste on Microsoft's part generally costs its customers lots of money in subsequent damages.

I wonder why users have no recourse against defective software products when they do have recourse against many other types of defective products. After all, Microsoft dominates about 80 percent of all desktops on the planet. A vast percentage of worldwide commerce pivots around Microsoft technology, but the company produces less than safe products. When we use Microsoft's products, we're subject to its license structure and we must accept all the product's risks by default, by using that license structure. Do you think General Motors could get away with a similar license for its somewhat dangerous Sport Utility Vehicles (SUVs) or any other automobile? Not a chance.

On a semi-related note, the National Security Agency (NSA) released a set of documents and templates that help people secure their Windows environments. Be sure to read the related news story in the SECURITY ROUNDUP section of this newsletter. Xato Network Security downloaded the documents and discovered some glaring contradictions and inaccuracies. An Xato representative posted a message on our Win2KSecAdvice mailing list detailing some of these findings, so be sure to read the message before implementing any of NSA's templates or recommended configuration settings. Until next time, have a great week.

Do you run IIS? If so, you need to know that Microsoft has issued security bulletin MS01-033 about yet another nasty hole in the IIS-based Index Server 2.0 on Windows NT 4.0 and the Indexing Service on Windows 2000 and beta versions of Windows XP. eEye Digital Security discovered the problem, which can let an intruder access the server under the security context of the built-in system account. The problem stems from an unchecked buffer in an Internet Server API (ISAPI) filter used during the course of processing .ida files, which are related to the Index Server and Indexing Service.

I point out this newly discovered problem because this is the fourth time in 2 years that eEye Digital Security has discovered an exploit against IIS that can grant an intruder system-level access. If hackers can find such dangerous holes in IIS, why can't Microsoft find them before the code rolls out to millions of Web servers around the planet? Each time such a hole surfaces, countless systems become easy prey because administrators don't apply security fixes fast enough. We can blame administrators and less-than-thorough administration, but it's Microsoft's fault that the holes exist to begin with.

Some time ago, Microsoft said it was placing more focus on the security of its products, and the added effort shows. But even so, the company's efforts obviously aren't enough. When confronted with the number of security problems in its products, Microsoft shifts the blame to the volume of code in Windows platforms and related products. The company says that with millions of lines of code, finding every potential security risk before a product ships is impossible. But hackers don't seem to find many barriers to vulnerability discovery regardless of how big Microsoft's code becomes. Microsoft needs to follow its own recent advice and introduce a higher level of best practices into its organization.

I admit that excellent hackers are a tough act to follow, but given the resources available to Microsoft, I fail to understand why the company doesn't do a better job of debugging its code before releasing it into production. You've heard the adage, "Haste makes waste." In the case of security-related bugs, any haste on Microsoft's part generally costs its customers lots of money in subsequent damages.

I wonder why users have no recourse against defective software products when they do have recourse against many other types of defective products. After all, Microsoft dominates about 80 percent of all desktops on the planet. A vast percentage of worldwide commerce pivots around Microsoft technology, but the company produces less than safe products. When we use Microsoft's products, we're subject to its license structure and we must accept all the product's risks by default, by using that license structure. Do you think General Motors could get away with a similar license for its somewhat dangerous Sport Utility Vehicles (SUVs) or any other automobile? Not a chance.

On a semi-related note, the National Security Agency (NSA) released a set of documents and templates that help people secure their Windows environments. Be sure to read the related news story in the SECURITY ROUNDUP section of this newsletter. Xato Network Security downloaded the documents and discovered some glaring contradictions and inaccuracies. An Xato representative posted a message on our Win2KSecAdvice mailing list detailing some of these findings, so be sure to read the message before implementing any of NSA's templates or recommended configuration settings. Until next time, have a great week.