This is the state of Internet security: Experts cry "wolf" again and again, the mainstream media get bored and stop covering each new vulnerability, and larger and larger wolves drift into town and start devouring villagers.
The newest security hole in Microsoft Internet software is the biggest yet, according to its discoverers and a few media outlets such as CNET and MSNBC. As many as 6 million Web servers running Microsoft IIS software need to be patched right now, before the bad guys package up an exploit for the script kiddies to trade around. The flaw affects all versions of IIS running under Windows NT, Windows 2000 and a beta version of Windows XP.
Everybody who covered the story talked to Marc Maiffret, the "chief hacking officer" at eEye Digital Security, the company that discovered the hole. Maiffret told MSNBC's Brock Meeks, "On a scale of 1 to 10, ... this one is an 11." Still, ZDNet found a Gartner analyst who thought the latest flaw wouldn't harm Microsoft's image much.
The New York Times ran a few spare paragraphs on the story, and the other major papers seem to have given it a pass. Maybe their security reporters have been carried off by wolves. - Keith Dawson
Microsoft security flaw threatens Web
Microsoft Web security hole found
Web at risk from new MS flaw
Microsoft Has Patch for Security Flaw
The New York Times
All versions of Microsoft Internet Information Services Remote buffer overflow
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise