Microsoft security flaw in shades of gray
(IDG) -- The latest security hole in Microsoft's Internet Information Server 5.0 is a doozy. It lets anyone anywhere run code on the hosting Windows 2000 system with administrator privileges. The hole was reported on Tuesday by eEye Digital Security. Microsoft released a patch to fix it, and acknowledged and thanked eEye.
Microsoft's hole-du-jour was widely reported on Wednesday. That same day, several hackers released exploits demonstrating how to use the technique to run code on remote Windows 2000 systems, and the press clamor began anew.
Accounts varied as to how many vulnerable systems there are. The AP reported that Microsoft has sold a million licenses of its Windows 2000 Server, but didn't guess how many are running the IIS Web software. The Register blithely guesstimated, and headlined, that "several million" Windows 2000/IIS 5.0 systems are in use.
An early Associated Press report simply covered a press release from eEye announcing the exploits. ZDNet and InternetNews identified one of the hackers - who goes by the nickname Dark Spyrit - and described his exploit code, called jill.c.
Because eEye waited for Microsoft's fix before posting details of the problem, the security community would consider it a "white hat." (Gray hats are those hackers who believe that the best way to force attention to security is to promulgate dangerous exploits. Black hats are the just-plain bad guys.) Yet after Dark Spyrit - whom InternetNews's Brian McWilliams called a gray hat - released jill.c, eEye's "chief hacking officer" published a harmless sample exploit of his own. Watch his hat darken.
The Register's hat is looking a little smudged after its coverage. Reporter Thomas C. Greene not only fingered a second published exploit but also provided handy links to both pieces of abusive code. InternetNews quoted security expert Russ Cooper, identified as the "surgeon general" of TruSecure, who said releasing an exploit "was not necessary to put fire under the butts of anybody. Every alerting mechanism on the planet has been invoked."
Microsoft scorns 'open-source'
RELATED IDG.net STORIES:
U.S. Air Force blasts Outlook security patch
Study: Gadget sales flat
Protest slams Dell's use of prison labor
Steve Jobs keeps Apple in the limelight
N. Y. plans to heal skyline
Stocks rise on Case departure
Lieberman's presidential announcement today
New arrests may be linked to UK ricin scare
Jordan says farewell for the third time
Shaq could miss playoff game for child's birth
Ex-USOC official says athletes bent drug rules
|Back to the top|