| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Microsoft Statement Regarding Download.Ject Malicious Code Security Issue | |
|
||
| Time: 09:41 EST/14:41 GMT | News Source: Microsoft Press Release | Posted By: Jonathan Tigner | ||
|
Microsoft is committed to helping customers keep their information safe. We are currently working with law enforcement and industry partners to identify the individuals or entities responsible for a new Internet attack, known as Download.Ject, and bring those responsible for this criminal act to justice. On Thursday, June 24, at 4:00 p.m. PDT, Microsoft responded to reports that some enterprise customers running un-patched versions of IIS 5.0 (Internet Information Services), a component of Windows 2000 Server, were being targeted by malicious code, known as Download.Ject. More information is available at: http://www.microsoft.com/downloadject. This site will be updated as new information becomes available. Microsoft's security response teams are dedicated to analyzing, resolving and communicating progress to customers in a timely manner. It is important to note that at this time Microsoft is not aware of widespread customer impact based on Download.Ject. Microsoft has confirmed with its partners that this attack is not a "worm" or virus-in other words, this attack is a targeted manual attack by individuals or entities towards a specific server. Microsoft is working with Internet service provider partners worldwide to shut down the malicious URLs. The primary Web site of attack was located in Russia and was taken offline Thursday evening, June 24. In addition, MSN is scanning for and blocking malicious URLs. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 157 Last | Next |
The time now is
12:24:16 PM
ET.
Any comment problems? E-mail us |
| #1 By 6859 (12.219.23.70) at 6/26/2004 4:27:22 PM |
|
Considering there are THOUSANDS of components that would have to be tested, in various combinations, it makes it really difficult for them to test. ... <I>"Gee, it is vulnerable for Win2k server with IE5.5? How about IE6? Ok, how about with IE5? Oh, lets add in IIS 5, 5.5 and 6. Ok, how about if the Journal viewer is installed...</i>
From MS' perpective, it's easier to sit and do nothing until the vulnerability is discovered. Which is what everyone does. Do you think that FreeBSD tests every possible combo for everything? No, they wait until one guy on bugtraq says "Hey, npam 2.43 plus samba 2 leads to ....." It's just infeasable to do everything. Plus from a legal point of view, it's cheaper to pay any fine incurred--which is what every business does too. |
| #2 By 23275 (68.17.42.38) at 6/26/2004 5:39:49 PM |
|
The vulnerability was addresssed a long while ago in MS04-11 [April]. It, like all vulnerabilities, has been continually tracked and updated as necessary. MS04-11 like many updates, was identified by Microsoft and patched. Regretfully, the patch was reverse engineered by criminals to hurt people for money.
Similarly, IE was patched and well known baseline security analysis and configuration tools have been well publisized and freely available - advising as to safe surfing and recommended settings. It is also no secret that Microsoft has been investing hundreds of millions of dollars to engineer safer, more secure software and has been exposing that software to what some assess have been "Ridiculous levels of qaulity assurance testing." I see it as "thoughtful." All the racket aside, I assess it is high time web server administrators take some responsibility for operating web servers - regardless of type, responsibly. I assess the same is true for any system, any person connects to the public networks and the Internet. After all, most of us dirve cars, we have both formal and informal training for that, we have licenses, take tests and are required to maintain insurance and safe vehicles - there are standards. Opposite systems that have the potential to cause much greater harm, we seem to blame only Microsoft... This is nutty. Now, as I continue to test dozens of Kernel updates for four Red Hat AS servers, and as I recognize how much easier it was to secure and manage my Windows Servers, I am simultaneously writing plans to port the applications off of those Red Hat servers to Windows 2003 Server - it will cost my clients less and make it far easier and cheaper to keep them safe. The bottom line is all about personal responsibility and not about blaming software companies in isolation. Collectively, we need to focus on what "we" are going to do and also on how "we" are going to help catch and prosecute criminals that threaten all of us. Thanks, Lloyd |
|
Write Comment
Return to News |
Displaying 1 through 25 of 157 Last | Next |
The time now is
12:24:16 PM
ET.
Any comment problems? E-mail us |
