A Really Big Patch for Microsoft IIS

The Code Red virus proved to the world that IIS patches must be installed—will this comprehensive patch be the last of a seemingly endless stream of security patches for Microsoft IIS?

by Christopher Pace of internetnews.com [August 17, 2001]

Hot on the heels of the Code Red virus, and still reeling from its effects, Microsoft has released an all-encompassing patch for its IIS servers that will fix five different vulnerabilities that have recently been discovered in addition to including—and also include the patches that to date have been released for IIS 4.0 since Windows NT 4.0 Service Pack 5.

IIS has had an inordinate amount of security flaws
The new cumulative patch has left system administrators wondering about the overall security measures Microsoft uses before a product has been released for the public's use. The growing list of security flaws is a signal that the technology is far from being functional right out of the box.

Microsoft has been criticized for not only the security flaw that Code Red exploited but also for not acting fast enough to fix it, thereby allowing the virus to spread quickly.

In addition to the Code Red DoS vulnerability, the newest patch fixes the following four flaws:

• a flaw in the WebDAV feature of IIS 5.0
• a flaw in the way 5.0 interprets content with an invalid MIME header
• a buffer overrun vulnerability involving the code that performs server-side include directives
• a privilege elevation vulnerability in 5.0's table processing

Most shocking of all—the new patch also fixes a side effect of the previously released IIS cumulative patch.

Microsoft has admitted that the vulnerabilities of IIS have been extensive, and this is a problem for a large number of companies that rely heavily on IIS for their Web serving.

Software, band-aids not included
Despite the company's efforts to get the patches out to the public, there are numerous problems with the "patch and go" approach. First and foremost, users have to know about the patch and actually install it. Second, by consistently drawing attention to all the security flaws, the company is letting other malicious hackers know that systems are potentially vulnerable and almost inviting them to look for new ways to corrupt the systems.

Perhaps the most detrimental effect is that an increasing number of security flaw fixes on a specific piece of software will begin to erode user confidence and cause people to ferret out other options, such as an operating system with fewer security issues.

According to the Computer Emergency Response Team Coordination Center, almost half of their security alerts for the past year have involved Microsoft technologies. And while Microsoft certainly dominates markets and is high-profile, alerts draw attention to themselves and especially to security breaches.

However, it should be noted that IIS is not the only software experiencing a glut of security problems. According to one network engineer, FreeBSD has received 79 security updates already this year.

— End