April 2008 - Posts
Microsoft revised two security bulletins yesterday. One of which is related to .Net Framework published last year, not major update or new fixes but rather doc updates on changes related to releases of WinXP SP3.
On the other hand, in the recent Hack in the Box conference in Dubai, a new exploit in system account access token has been released to the public. This is related to the native design of current Windows access token in which entire OS is subjected to the vulnerability, and of coz IIS is part of it. Microsoft has released a new security advisory last week, take note that all Windows OSes are affected, ranging from XP, W2k3 and all the way to Vista and W2k8. The current mitigation is to stop using default built-in application pool identity and assign custom account identity for the worker processes.
948801 If an SMTP connector set the Outbound Security option to "Integrated Windows Authentication," the SMTP connector does not work in the IIS Metabase when you restore an Exchange Server 2003 server by using a Disaster Recovery mode
949455 System Center Operations Manager 2007 Reporting installation fails on a Windows Server 2008 computer if IIS 6.0 Management Compatibility is not installed
Oh well, been busy and no time to post this back then. In the routine patch Tuesday this month, Microsoft released 8 security bulletins with 5 of which in critical severity and one specific bulletin is related to IIS in a way. The 08-022 actually replaced the old fixes in 2006.
Summary: This security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
For more information, refer this. Take note that all existing Windows Scripting Engine 5.1/5.5/5.6 on W2k/XP/W2k3 are affected, while Vista/W2k8 are not affected.