[cobalt-security] Re: Frontpage and ChiliSoft Vulns [WAS: Code Red Special Effects]

["Michael J. Cannon" <mcannon@xxxxxxxxxxxxxx>]

Kevin:

The FrontPage on *nix threads are springing up in both the hacker IRC
chatrooms and the vuln theorist maillists.

They are theoretical, not yet real and focus on the fact the ISAPI filters
that are FrontPage and ASP/DCOM+ and, soon, .NET and C# CLI, in IIS and,
therefore, any OS that uses them are subject to the doctrine of 'inherent
insecurity.'

Of course, the argument can also be made that the insecurities, by the same
doctrine, are actually at the .asm level (in the machine architecture) or as
a result of such things as templates and the ability to cast 'badly formed'
pointer structures and map memory badly on the physical/machine or
lower-level architectures.  However, if that's the case, why haven't we seen
the same level of exposure in Apache and other servers in Linux (other than
those 'extended' by ChiliSoft and others into the ASP and ISAPI universes.)?

Bottom line, FrontPage in particular and ISAPI and ASP in general are a dumb
idea, have been proven a dumb and insecure idea, and smart prople will do
well to advise their clients and businesses to steer clear of them.

Now a prediction:  with what's about to happen to the Microsoft
implementations of RCL, RMI and, especially, RPC, we'll be saying the same
thing about SOAP and .NET as we are currently saying about FrontPage...only
instead of  USD$2-billion a 12-day attack and media hysteria period, we''l
be talking USD$20 and USD$40 billion in the same periods this time next
year.

Opinion only, and I'm crawling into my asbestos underwear now.

Mike