Bugtraq mailing list archives
Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability
From: Michael Brennen <mbrennen () FNI COM>
Date: Wed, 21 Mar 2001 11:18:03 -0600
On Mon, 19 Mar 2001, Microsoft Security Response Center wrote:
Personal Web Server is, of course, not intended to host web sites on the Internet. It's only intended to be used in protected environments such as home networks and the like. If you're hosting an Internet site, IIS is the appropriate product to use. Regards, Scott Culp Security Program Manager Microsoft Security Response Center
This response is an attempt to redefine a problem out of existence rather than fix it. Or have we forgotten that Microsoft's own network was broken while running its 'appropriate products' (without 'appropriate patches', of course)? It does not matter for what purpose PWS is running. Given that PWS runs with FP, and that it may be running for long web site development sessions, that it is running at all is sufficient to put the machine at risk. Or is PWS not vulnerable when running with FP? The 'of course' above is not at all obvious. Does FP document that web site development should only be done on a protected network? Where is PWS prominently labeled as inappropriate for use on the public Internet? Or should it be intuitively obvious that because of the use of 'personal' in its name one should only use it on a protected network? It is one thing to be designed not to carry much traffic or have many configuration options; it is quite another to be insecure. That a machine running PWS may be at risk, and that Microsoft understands this and has chosen not to fix it, is the tacit conclusion of Mr. Culp's response. The stark reality is that home computers are generally the least protected on the Internet. Given the known bugs and security design flaws in Windows (OS, IE, Outlook, and related software), and that most home computer users do not understand the bugs or security issues involved, probably rarely if ever update security patches, and are increasingly connected with unprotected always on connections, they are also among the most vulnerable. Or do we forget about trinoo and kin, unprotected drive shares, and others? And this is the protected home network environment where Microsoft expects PWS to be run for security reasons? -- Michael
Current thread:
- Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Dinos Pastos (Mar 19)
- <Possible follow-ups>
- Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Microsoft Security Response Center (Mar 20)
- Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Dinos Pastos (Mar 20)
- Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability David F. Skoll (Mar 20)
- Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Michael Brennen (Mar 21)
- Re: Microsoft - Personal Web Server Extended UNICODE Directory Traversal Vulnerability Robert Bihlmeyer (Mar 21)