Microsoft Windows and IIS have long been a whipping boy for security issues. If you hadn’t noticed, they’re back in the spotlight, only not quite as loudly because of the technical nature of recent issues. But this year is different. Instead of Microsoft standing alone, web developers are strapped to the stocks as well.
Microsoft has a new security advisory up (April 23rd) giving vague details of a vulnerability that matches details provided by Cesar Cerrudo at HITBSecConf2008. It sounds like this is less an issue with external hackers and more an issue with trusting your developers, the ones who provide code that could possibly exploit this issue. The workarounds are a bit annoying as posted currently. I think every Windows admin has experienced angst when changing accounts that services or pools run under, and we all do so only if necessary (and cross our fingers that nothing breaks too badly). And disabling MSDTC (COM+) when your apps that run your business use COM+ is not an option. (Microsoft may as well tell us to turn off the web server and unplug the machine!) I think I would be more concerned if I were a larger hosting provider running on Windows…
The above issue does not affect Vista or Windows Server 2008, it appears.
This is paired up with a recent large scale of SQL injection attacks. Microsoft (and many others) rightly point the blame to developers and coding practices. The OS and even the coding environment can only go so far to protect against incompetent, ignorant, or rushed developers. The rest is up to the developers and those leading the developers.
Attackers continue to move up the layers.