"After Thursday's announcement that more than 1 million credit
cards have been stolen and more than 40 e-commerce sites have been
victimized, you're probably wondering: Why haven't e-commerce
organizations learned their lessons? Why are they still being
victimized as a result of known vulnerabilities?..."
"The National Infrastructure Protection Center identified
several vulnerabilities of which the attackers were taking
advantage. Microsoft has issued patches for nearly all of them,
some as early as 1998. The various holes, if not patched, could
allow an attacker to execute shell commands on an IIS system,
access and execute commands on a SQL server, or run system commands
on a Web server...."
"If a company takes e-commerce seriously, it should dedicate a
few people to keeping track of all the patches in Microsoft's
knowledge base. Sure, Microsoft should be selling software that
will protect you. But come on, no product is perfect. And if you're
unable or unwilling to spend the money to do this, maybe it's time
to start thinking about open-source products like the Apache Web
server. Just keep in mind that you're going to have to keep up with
the patches for those products, too."