,
Don't blame Microsoft. They gave you the patch; it's your responsibility to use it.
A buddy of mine is the CTO of a big retail chain back east. Just this morning he was telling me how his Network Admin group was pushing back on installing the new Microsoft patch that covers ten security vulnerabilities in IIS, because they heard it broke the server, they didn't have time to test it, and thought it would be months (if ever) before they even needed to worry about it. He wanted my advice.I told him to walk down to IT, give them a swift kick in the pants, and ask them what part of "Network Administrator" did they not understand. It is the network administrator's job to administer the network. This includes testing and installing hot fixes and service packs. If your people can't do that effectively and efficiently, then get someone who can.
Do it now before you become a future statistic, because these vulnerabilities will be exploited.
The details of this "must-install" patch, along with technical discussion and FAQ's, can be found on the Microsoft TechNet
Unlike Codes RGB, or the server-vector of Nimda that primarily attacked improperly configured servers, eEye's exploit goes to the heart of many IIS applications: Active Server Pages. Everybody uses ASP. Everyone. It is the meat-and-potatoes of our data-driven applications, and is a core component of millions of IIS systems across the Internet. Install the patch.
You may think all of this a bit premature for a five-day-old security bulletin, but this has "whammy" written all over it. People are already working on names for the worm that is certain to follow (which I think should be called a snake; you know, ASP and all...), tests for "iisstart.asp" are showing up in logs, and I'm sure Gartner is already hard at work on their next ridiculous "Why you should move to iPlanet" advisory.
Yes, yes... Microsoft must do better. We need better default installations. We need easier ways to roll out fixes. We need code-level review and bug-free software. We need all of these things for a better tomorrow.
But we need to sell our products today. The buck stops in the server room.
All products have security issues, and all products will continue to have security issues. The degree to which you embrace this and plan accordingly is the degree to which you will be successful in the Digital Age. You can pass the buck all you want, but if your competitors figure out how to thrive in the face of adversity before you do, guess who your customers will be buying from while your site is down?
Don't blame Microsoft. They gave you the patch; it's your responsibility to use it.
Sadly, tales of responsibility-shirking abound these days. Recently, the City of Battle Creek, MI, suffered a crash of their Lotus Domino mail server after an Orbz spam-relay troller gave it a hissy-fit. Though the network administrator had not bothered to do her job and ensure the software was up to date (this particular bug was over seven months old), she was more than willing to call in the police to see if they could have the Orbz administrator thrown in the can -- as if he was at fault for delivering an RFC-compliant email.
And if scenarios like that are not bad enough, we now have the entertainment industry, who, in their collective incompetence, can't figure out how to protect their own products and have called upon the U.S. Senate to legally force other people into doing it for them.
Fritz Hollings has drafted a bill that proposes just that, and has the audacity to call it the "Consumer Broadband and Digital Television Promotion Act" as if the needs of the consumer actually come into play anywhere in the legislation. They don't, and Hollings has as much business authoring a technology bill as Ted Kennedy does in sitting on the Ethics Committee. It is called "selling out." Entertainment won't take responsibility for their own product, so now they are trying to buy a law where you and I will have to pay to secure it for them -- while they make all the money.
If you think you have a hard time rolling out Microsoft patches, think what will happen when your IT department also has to apply patches from each and every one of your vendors to ensure that illegal copies of "Mr. Smith Goes to Washington" can't be duplicated on your equipment.