"When I despair, I remember that all through history the way of truth and love has always won. There have been tyrants and murderers and for a time they seem invincible, but in the end, they always fall — think of it, always." Mohandas Gandhi
In a time of universal deceit - telling the truth is a revolutionary act. George Orwell

Tuesday, April 01, 2008

m$-window$ server 2008; m$-IIS 7 e m$-SQL inseguros

Segundo estas duas notícias que acabo de ler (Hacker Bags Windows Server 2008 Trophy; Hacker Pours Cold Water on Windows Server 2008 Security Design), os recentemente chegados novos bens da coroa m$, estarão com graves problemas de segurança.
Mas segundo o mesmo investigador, "", o m$-window$ XP e Vi$ta sofrem do mesmo problema.

Parece que o IIS 7 na sua configuração por omissão pode ser completamente comprometido usando aplicações ASP.Net.

Microsoft Watch - Security - Hacker Bags Windows Server 2008 Trophy
Exploit details are sketchy, but not the source: Argeniss co-founder Cesar Cerrudo.

Apparently, Cerrudo plans to share more information about the security flaws during April's Hack in the Box Security Conference. That will give Microsoft some time to research the problem before Cerrudo tells all. He plans to demonstrate zero-day exploits for elevating privileges in IIS, SQL Server and Windows Server 2008.

Hacker Pours Cold Water on Windows Server 2008 Security Design
"On Windows XP and Windows 2003 the problem is especially severe since any Windows service, even when running under a low privileged account, can potentially break through the security protections and fully compromise the operating system. This includes all web applications deployed on Internet Information Services 6," he added.

No comments: