News MS warns over unpatched IIS flaw

http://www.bit-tech.net/news/bits/2009/09/09/ms-warns-over-unpatched-iis-flaw/1

Microsoft has issued a warning regarding a flaw in its IIS software that can lead to a Denial of Service attack or remote code execution, but no patch is yet available.

 

I like how they say it was not responsibly disclosed

 

It just shows the problem inherent in only releasing patches once a month: it gives the script kiddies up to a month to wreak their havoc. I know it makes sense from MS's point of view - it gives them a month to test new patches - but from a customer's perspective, it sucks sweaty monkey balls.

That said, are many companies going to be running IIS with FTP enabled, let alone open it to all and sundry?

 

Another reason why I dont use IIS for FTP Servers in our farm.

 

IIS == Inherently Invade able Software?

 

Rushing patches out the door without sufficient testing time is just as dangerous as that might break other functionality or introduce new problems of their own. I also know from my experiences as a software developer that sometimes you go into fix a problem and uncover other flaws downstream from that fix that need attention as well.

 

While Apache is not without bugs, at least they're fixed a lot faster than it takes Microsoft "time to test and develop a patch".

FFS Microsoft, does it really take you a whole month to fix broken code? I can't believe your developers cannot read C++, so it must be your leviathon management structure that slows things down.