NSLog();

4 Comments »

4 Responses to "Another Day, Another Hole in IIS"

1. | Reply Buzz Andersen
   Posted 17 Mar 2003 at 6:07pm #
   

   Funny you should mention that--I'm actually on a quest at work right now to end our use of IIS once and for all (we have a legacy web app that uses ASP, but I'm fighting tooth and nail to replace it with Java and Tomcat). I love seeing stuff like this--it just gives me that much more ammo!

2. | Reply Nick
   Posted 17 Mar 2003 at 7:22pm #
   

   BugTraq Search: Buffer Overflow

   Matching Results: 3685

   Not so easy, it would appear.

   I'm not saying this makes it OK ... definitely sucks and I wish as much as anyone that we would clean these things up faster.

   But come on, I suspect you're a better developer than to expect that purging all your bugs is as easy as snapping your fingers.

   --Nick

3. | Reply Erik J. Barzeski
   Posted 17 Mar 2003 at 7:27pm #
   

   I am. But buffer overflows are soooo common that, well, people should be extra careful to look out for them specifically.

4. | Reply Eric
   Posted 17 Mar 2003 at 8:55pm #
   

   For what it's worth, Microsoft has far better static code analysis tools than I've seen at any other company or for any other operating system. They have some terrific tools for checking for buffer overflows and just about any other related problem, and they use them on all new products. If everyone else did the same, you'd find far fewer bugs (to say nothing of security holes) in Linux, Mac OS X, and other operating systems.

   This hole doesn't even affect the latest version of IIS. Apple, Red Hat, and others are lucky that there aren't many people poring through older versions of their software looking for security holes.