Home

OpenHack 4

Thu, 10/31/2002 - 11:01 — ContentFromOldTotSP

In a head to head battle between Oracle and Microsoft's application servers we have our first exploit. Any guesses on which app was cracked first? Anyone??? You got it.. Oracle's Unbreakable app server (running on Red Hat Linux Advanced Server 2.1) was the first to crack.Even with Microsoft registering almost twice as many exploit attempts. How can this be? Must be a misprint. Perhaps a properly configured and administered MS box can be a stable platform. I read somewhere that the next MS server product would ask the installer exactly what he was going to do with the box and turn everything else off. For the life of me I can't figure out why they haven't done this several release cycle ago, but the sooner they get this out hopefully the better off the computing world en-mass will be.
  OpenHack 4

Comments

Thu, 10/31/2002 - 19:10 — cooper (not verified)

Re: OpenHack 4

Well, don't get me wrong, application security is one thing -- I RIPPED through BEA WebLogic's stock install in my first day of training. I would really wonder about how those boxes were set up, though. I mean, it's real easy to lock the hell out of a Linux box, and if you do a no-source install of any Java we server, and localhost bound only installs of your Database and second tier java services, there really isn't a way to exploit it barring your having done something galactically stupid. After all, you can't have a buffer overflow in an environment with no control over memory allocation :)

I do agree, it is possible to have a secure MS environment, but you generally accomplish it through external means -- a good dedicated firewall, a 3rd party IPSec implementation, etc. I would say it is a helluva lot HARDER to get that secure MS environment than a basic Linux setup.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.