Full Disclosure mailing list archives
Re: Web sites compromised by IIS attack
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 30 Jun 2004 18:27:16 -0500
On Wed, 2004-06-30 at 15:58, TIERNAN RAY, BLOOMBERG/ NEWSROOM: wrote:
[...] Sites running Microsoft server software, such as the
Kelley Blue Book, were infected with malicious code.
[...]
``Our site was infected,'' said Robyn Eckard, a spokeswoman
for Kelley Blue Book, an automotive pricing site at
http://www.kbb.com. Users tipped off the site Wednesday that one
of 15 Web servers running Microsoft's IIS was infected, she said.
[...]
If this email is real (and the headers do look legit), I have to applaud Kelley Blue Book for coming forward with this information. It takes a bit of guts to make an announcement like this. But I don't think Kelley's Admins are to blame. Administrators should spend their time on keeping systems operating, setting up jobs, and satisfying business requirements. They should not have to spend their time fixing broken products. No. The blame squarely falls on the manufacturers of broken products. They should produce software that works. That includes QA, product testing, due diligence etc. (Insert your favorite car analogy here) I think we all have tolerated broken software products for too long. It is high time to demand better products, or to select alternative products. We need to stop accepting software riddled with flaws and instead demand better quality software. No other products besides software is purchased with flaws -- knowingly at least, and consumer oriented organizations are making sure that consumers know about defects. Why should software be different? Because it is more convenient for the manufacturer and not the consumer to fix it after the sale? We should start treating software like any other products. If it's broken, the producer is required to fix it, not the consumer. No, I do not blame the companies of compromised servers, nor their admins. I blame the manufacturer of the product. So, with sympathy to Kelley Blue Book, and all other companies that had been affected, I say "Shame on you, Microsoft." Instead of requiring the consumer to install patches, Microsoft should be required to fix their own, broken products. That means that they should send their army of engineers (a lot of which are now carrying the CISSP certification) to the consumers and have their engineers correct the flaws in their products. They sold flawed products, they should fix it. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Web sites compromised by IIS attack Frank Knobbe (Jun 30)
- Re: Web sites compromised by IIS attack Paul Schmehl (Jun 30)
- Re: Web sites compromised by IIS attack Frank Knobbe (Jun 30)
- Re: Web sites compromised by IIS attack Denis Dimick (Jun 30)
- Re: Web sites compromised by IIS attack Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 30)
- Re: Web sites compromised by IIS attack Frank Knobbe (Jun 30)
- Re: Web sites compromised by IIS attack Denis Dimick (Jun 30)
- Re: Web sites compromised by IIS attack (fully off topic!) Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 30)
- Re: Web sites compromised by IIS attack Valdis . Kletnieks (Jul 01)
- Re: Web sites compromised by IIS attack Raj Mathur (Jul 01)
- Re: Web sites compromised by IIS attack Maarten (Jul 01)
- Re: Web sites compromised by IIS attack Akos Szalkai (Jul 05)
- Re: Web sites compromised by IIS attack Paul Schmehl (Jun 30)