This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

Who Let the Wolves In?

Jun 19 2001 08:37 AM PDT

Security mavens say a hole in Microsoft's IIS software is the biggest one yet.

This is the state of Internet security: Experts cry "wolf" again and again, the mainstream media get bored and stop covering each new vulnerability, and larger and larger wolves drift into town and start devouring villagers.

The newest security hole in Microsoft Internet software is the biggest yet, according to its discoverers and a few media outlets such as CNET and MSNBC. As many as 6 million Web servers running Microsoft IIS software need to be patched right now, before the bad guys package up an exploit for the script kiddies to trade around. The flaw affects all versions of IIS running under Windows NT, Windows 2000 and a beta version of Windows XP.

Everybody who covered the story talked to Marc Maiffret, the "chief hacking officer" at eEye Digital Security, the company that discovered the hole. Maiffret told MSNBC's Brock Meeks, "On a scale of 1 to 10, ... this one is an 11." Still, ZDNet found a Gartner analyst who thought the latest flaw wouldn't harm Microsoft's image much.

The New York Times ran a few spare paragraphs on the story, and the other major papers seem to have given it a pass. Maybe their security reporters have been carried off by wolves. - Keith Dawson

Microsoft security flaw threatens Web

Microsoft Web security hole found

Web at risk from new MS flaw

Microsoft Has Patch for Security Flaw
The New York Times
(Registration required.)

All versions of Microsoft Internet Information Services Remote buffer overflow

Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise