Vulnerability Development: Re: CR II - winME? confirmation? (Slightly OT)

["Amer Karim" <amerk () telus net>]

Hi All,

Thanks for the responses  - I was overlooking something obvious :-p

This raises another question, however: since ALL IIS5 and IIS4 servers are
vulnerable, including those being used to run ‘personal’ sites from peoples
homes, why hasn’t more emphasis been placed on telling those people to patch
their systems?  I just came across a situation today where one of my clients
asked me to have a look at his home system since it was behaving rather
strangely.  Found out he was running W2K Pro w/ IIS installed (had a site
running w/ pics of his family), and when I asked him if he’d patched it for
the original CR he just gave a blank look – followed by “I though that was
only for servers.” …I just about put my head through the wall.  All my F/W’s
have been logging over a 1000 HTTP events/day for the last few days, and I
was going batty trying to figure out why it was so much worse this time
round compared to the first CR.  Well, if even half of the people out there
running personal web sites from their home systems are under the same
misguided impression this chap was under, then what I’m probably seeing in
my logs isn’t just traffic from the new CR, but also from every home system
that was infected by the CRv1,CRv2, CRv3….and however many more there might
be.  I’ve since informed all my clients (rather forcefully, if
undiplomatically) that if their running IIS at home to take their systems
off-line and format and re-install (since the new CR opens a backdoor to the
system) and patch their systems before they put them back on-line.

Are the people I’m dealing with particularly obtuse, or is this the
prevailing attitude out there? And if so, then why aren’t the advisories
(all flavours) being more emphatic at targeting the average home user, whose
concept of what makes a server is rather “vague”?

Regards,
Amer Karim
Nautilis Information Systems
e-mail: amerk () telus net, mamerk () hotmail com