Microsoft IIS vuln played no role in server breach, uni says
No in-the-wild attacks reported
Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft's Internet Information Services webserver.
"Microsoft and Ball State now have identified the cause of the breach [as] a Ball State iWeb user [who] either misused or allowed the misuse of their account, and that was determined just this afternoon," Ball State University spokesman Tony Proudfoot said on Thursday.
The account corrects an advisory campus officials issued Tuesday that claimed the breach was the result of someone targeting a vulnerability in versions 5 and 6 of IIS that allows attackers to list, access, and in some cases upload files in a password-protected folders of vulnerable machines. The vulnerability exists when IIS uses the WebDAV protocol. The advisory was featured prominently on the university's website.
"Initially, both Microsoft and Ball State suspected the intruder used the WebDAV vulnerability that was made public by Microsoft on May 15," Proudfoot said.
Microsoft has said it is unaware of any attacks that target the vulnerability. ®
I hope the ISS isn't using IIS.
If they are, expect lumps of flaming metal to come hurtling down out of the sky very soon.
ISS stick sucks though...
Of course IIS had security issues as does apache and probably most other servers. But that's not the whole issue here, IIS is still poo even if it didn't have any issues just for it being so ... annoying.
I have had someone hack my apache webserver once... on my home computer. My own fault for not firewalling it to outside connections, I didnt know there were any problems with it until that point. Someone thought it might be funny to put a paypal scam site on my web server... to this day I still do not know how they did it and all I had was a php page with a couple of graphs on it ^^ and it was set up securely.
This was back in the Mandrake days though...
Most of the bad press is related to IIS5 not IIS6
IIS 5 was a security nightmare but IIS6 has been much better (i'm not saying it's the best or drawing comparisons so simmer down) in fact it's become quite a dull subject on the security front much better than most MS software. Take a look at the list it's hardly an issue a week is it now in fact it looks like one a year.