Security Holes That Run Deep

Security Holes That Run Deep
Mark Burnett, 2004-12-20

How a seemingly simply Microsoft bug betrayed its author's disdain for a wide range of secure coding principles.

Security Holes That Run Deep 2004-12-20
Anonymous (2 replies)

Security Holes That Run Deep 2004-12-22
michaels (1 replies)

Yes, IIS _doesn't_ bypass NTFS permissions - of course, it can't even do it (w/o great difficulty) - it just opens the file with ASPNET access.

The note about "MS Provide a list ... etc" - this won't help at all.

Currently they are already made publically aware of when a mistake occurs, and surely you can't be suggesting that MS *MEANT* to process code this way - they didn't, it was a bug - thats all.

No new guidelines or "Best Practices" can solve the issue of a programmer buggering up :)

If the _DESIGN_ was faulty (which I don't believe it was) then you have a point.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/285/29644#29644

Security Holes That Run Deep 2004-12-23
Anonymous

Security Holes That Run Deep 2004-12-26
Anonymous

Nothing new from MS here... 2004-12-21
Anonymous

Security Holes That Run Deep 2004-12-21
bazzargh

Failing Open vs. Closed 2004-12-22
Andy S.

Security Holes That Run Deep 2004-12-23
Anonymous

Security Holes That Run Deep 2004-12-29
Anonymous-Philippines (1 replies)

Re: Security Holes That Run Deep 2009-06-10
Anonymous - US