Microsoft IIS 5/6 FTP 0Day released
We are aware of an new 0-day exploit that was posted on Milw0rm today.
According the exploit, it was suppose to work on both IIS 5.0 and 6.0, on the FTP module.
Also according it, it affects IIS 6.0 with stack cookie protection.
The latest on this is that HDMoore is porting it to the MetaSploit framework.
We will update this diary with more info as we get it.
source: sans.org
6. Use the Open Source certification mark to keep things pure
One of the threats we faced was the possibility that the term ‘open source’ would be "embraced and extended" by Microsoft or other large vendors, corrupting it and losing our message.
[...]
It eventually developed that the U.S. Patent and Trademark office would not issue a trademark for such a descriptive phrase [Open Source]
[...]
The sorts of serious abuse we feared have not (at least, no yet as of November 2000) actually materialized.The Cathedral & the Bazaar :: Revenge of the Hackers, Eric S. Raymond, page 178
A couple years ago, I almost skipped this part of the Revenge of the Hacker manifesto since it was evident that Microsoft would not try something that obvious. I was so wrong…
It did took them a couple of years to figure it out, but then, they push forward evenement like {Open Source} Heroes happen here where you can [...]
Order you own Hero Hack Pack and get started with Open Source. Each Hack Pack contains a trial copy of Windows Server 2008 and Visual Studio 2008, plus a chance to win a free pass to OSCON 2008!
I am well aware that free software doesn’t need to be free "as in beer", yet It kinda make me sad that people can pull that kind of scheme and still sleep at night. They are clearly piggy backing on a wave they don’t control and have nothing to do with. You can receive a trial version of a software that is closed source, which is non-free, to run a software that is closed source, also non-free to program open-source. Hey, you can’t say no to that offer!
Why don’t they start their own little revolution and try to gain leverage… because, lets be honest here, Microsoft doesn’t even own any open source application. They have the money and the technical talent to, once again, shake the whole computing world with innovation. Their loud "we support open source" is based on money they gave their own concurrent while keeping their standard closed – they really should not play on this level.
Port 25, Microsoft blogging platform for their open source community, is more of a joke than anything else. They have some freak labs, acces to some of the best programmers in the world and … their messages all look, at least, to me, like :
Microsoft is involved in open source since Apache web server run on their server. That’s without saying anything about the price/availability of IIS… And this is no joke, the last few post from port 25 are installation procedures for Apache.
Microsoft is involved in open source since they have a partnership with XEN (this is more present on their website than the port25 blog). They still push forward their own virtualisation system, but with VMWare currently stealing all the "high value target" and Xen taking everything else…. not much left for VirtualPC.
But, there is one thing that does intrigue me : Shared Source at Microsoft. Well designed, this program could have some leverage, but I guess that everything is released under a reference only licence, that a very big entree fee is required and that your soul must be sold to the devil, or something like that.
And when they really want to go open source, the underlying "help us get more money" is so evident that their isn’t even any fun reporting it. The project look cool though : Singularity.
Update: I’ve been pointed toward this image, sad that it hasn’t been kept up-to-date.
