Patch Counting: Horseshoes and Hand Grenades

By Eric Schultze
Like the old saying goes, “Close only counts in horseshoes and hand grenades.”  I’ve developed a corollary this week, “The ‘number of flaws’ only matters to vulnerability assessment scanners and journalists.”
I’ve read many news stories this week talking about the record number of flaws/vulnerabilities that Microsoft fixed in the June ’09 Patch Tuesday release. For the record, I’m saying that none of this is relevant.

Even for the most experienced security professionals, understanding complex attacks and vulnerabilities sometimes can be a serious challenge. A perfect example is the recent Microsoft IIS WebDAV vulnerability, which surfaced last week and has yet to be patched by Microsoft. It’s a complicated issue, which some experts say was made more so by the guidance that the software maker released about it. Luckily, Steve Friedl of Unixwiz.net has taken the time to make some sense of it all.

A security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension  decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.

A new remotely-exploitable vulnerability has been found in the Microsoft IIS 6.0 Web server. The flaw is quite similar to one that was discovered eight years ago in earlier versions of IIS, and exploitation of the weakness could enable an attacker to upload content to the vulnerable server.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.