At 10:36 PM 7/4/99 +1000, Darren Reed wrote: >I would hazard a guess that the number of custom IDS systems in place is >a small number, so if you compare the number of hackers who would gain >information on how to exploit this feature and otherwise wouldn't (i.e. >script kiddies) and weigh that against those that run custom IDS solutions, >I think the scales will tip in favour of the script kiddies. I say that According to this logic, eEye shouldn't have publish their IIS4 advisory at all. Many script kiddies got the information (and tools) on how to exploit the vulnerability. >because if you have your own IDS system, chances are you've built it on >a Unix system and hence run Unix elsewhere through your firewall, etc, >and wouldn't need to worry about this threat because you don't have IIS4.0 >on any critical systems. Does that make some sense ? No. Just to clarify something (the main reason why I actually replied): I live/work in Asia - which is the main reason why I'm not happy with the Microsoft approach. US/Europe/Australia are not worried about this issue. But Asia is. And I need to deal with customers who also have IIS4. Reason enough to be worried. Looking at the 'business side', if I need to make a 'blind' intrusion test (no information supplied by the customer at all), how can I state that IIS4 is vulnerable or not? I can't - but the "security vendor" can. Not really fair ;) Regards, Vanja
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:28 PDT