Microsoft IIS insecurity

Discussion in 'NZ Computing' started by Lawrence D¹Oliveiro, May 3, 2005.

  1. New Scientist reports that Microsoft IIS can put up the following
    message:

    Your Web site security may need to be tightened. To tighten
    security as much as possible for your Web sites, select "Fix this
    problem"
    Note: This message will re-appear even after your security
    is tightened.

    Perhaps an apt commentary on the security that IIS offers... :)
     
    Lawrence D¹Oliveiro, May 3, 2005
    #1
    1. Advertising

  2. Lawrence D¹Oliveiro

    newsgroupie Guest

    "Lawrence D¹Oliveiro" <_zealand> wrote in message
    news:...
    > New Scientist reports that Microsoft IIS can put up the following
    > message:
    >
    > Your Web site security may need to be tightened. To tighten
    > security as much as possible for your Web sites, select "Fix this
    > problem"
    > Note: This message will re-appear even after your security
    > is tightened.
    >
    > Perhaps an apt commentary on the security that IIS offers... :)


    IIS 6.0: 3 advisories since July 2003 http://secunia.com/product/1438/

    IIS 5.0: 4 advisories since July 2003 http://secunia.com/product/39/

    Apache 2.0.x: 17 advisories since July 2003 http://secunia.com/product/73/

    Apache 1.3.x: 10 advisories since July 2003 http://secunia.com/product/72/
     
    newsgroupie, May 4, 2005
    #2
    1. Advertising

  3. In article <lDYde.3563$>,
    "newsgroupie" <> wrote:

    >"Lawrence D¹Oliveiro" <_zealand> wrote in message
    >news:...
    >> New Scientist reports that Microsoft IIS can put up the following
    >> message:
    >>
    >> Your Web site security may need to be tightened. To tighten
    >> security as much as possible for your Web sites, select "Fix this
    >> problem"
    >> Note: This message will re-appear even after your security
    >> is tightened.
    >>
    >> Perhaps an apt commentary on the security that IIS offers... :)

    >
    >IIS 6.0: 3 advisories since July 2003 http://secunia.com/product/1438/


    "Microsoft Internet Information Services (IIS) 6 with all vendor patches
    installed and all vendor workarounds applied, is currently affected by
    one or more Secunia advisories rated Moderately critical"

    >IIS 5.0: 4 advisories since July 2003 http://secunia.com/product/39/


    "Microsoft Internet Information Services (IIS) 5.x with all vendor
    patches installed and all vendor workarounds applied, is currently
    affected by one or more Secunia advisories rated Not critical"

    >Apache 2.0.x: 17 advisories since July 2003 http://secunia.com/product/73/


    "Apache 2.0.x with all vendor patches installed and all vendor
    workarounds applied, is currently affected by one or more Secunia
    advisories rated Less critical"

    >Apache 1.3.x: 10 advisories since July 2003 http://secunia.com/product/72/


    "Apache 1.3.x with all vendor patches installed and all vendor
    workarounds applied, is currently affected by one or more Secunia
    advisories rated Less critical"

    So the only one which achieves the worst rating is a Microsoft product.
    Surprised?
     
    Lawrence D¹Oliveiro, May 4, 2005
    #3
  4. Lawrence D¹Oliveiro

    newsgroupie Guest

    "Lawrence D¹Oliveiro" <_zealand> wrote in message
    news:...
    > In article <lDYde.3563$>,
    > "newsgroupie" <> wrote:
    >
    >>"Lawrence D¹Oliveiro" <_zealand> wrote in message
    >>news:...
    >>> New Scientist reports that Microsoft IIS can put up the following
    >>> message:
    >>>
    >>> Your Web site security may need to be tightened. To tighten
    >>> security as much as possible for your Web sites, select "Fix this
    >>> problem"
    >>> Note: This message will re-appear even after your security
    >>> is tightened.
    >>>
    >>> Perhaps an apt commentary on the security that IIS offers... :)

    >>
    >>IIS 6.0: 3 advisories since July 2003 http://secunia.com/product/1438/

    >
    > "Microsoft Internet Information Services (IIS) 6 with all vendor patches
    > installed and all vendor workarounds applied, is currently affected by
    > one or more Secunia advisories rated Moderately critical"
    >
    >>IIS 5.0: 4 advisories since July 2003 http://secunia.com/product/39/

    >
    > "Microsoft Internet Information Services (IIS) 5.x with all vendor
    > patches installed and all vendor workarounds applied, is currently
    > affected by one or more Secunia advisories rated Not critical"
    >
    >>Apache 2.0.x: 17 advisories since July 2003 http://secunia.com/product/73/

    >
    > "Apache 2.0.x with all vendor patches installed and all vendor
    > workarounds applied, is currently affected by one or more Secunia
    > advisories rated Less critical"
    >
    >>Apache 1.3.x: 10 advisories since July 2003 http://secunia.com/product/72/

    >
    > "Apache 1.3.x with all vendor patches installed and all vendor
    > workarounds applied, is currently affected by one or more Secunia
    > advisories rated Less critical"
    >
    > So the only one which achieves the worst rating is a Microsoft product.
    > Surprised?


    I like the way you gloss over the fact that the latest version of Apache has
    been affected by TRIPLE the number of advisories that the latest version of
    IIS has. It might pay for you to check out http://www.zone-h.org/en/stats to
    see the latest website defacement numbers. Apache server truly is a patchy
    server.
     
    newsgroupie, May 4, 2005
    #4
  5. In article <SUZde.3584$>,
    "newsgroupie" <> wrote:

    >"Lawrence D¹Oliveiro" <_zealand> wrote in message
    >news:...
    >> In article <lDYde.3563$>,
    >> "newsgroupie" <> wrote:
    >>
    >>>"Lawrence D¹Oliveiro" <_zealand> wrote in message
    >>>news:...
    >>>> New Scientist reports that Microsoft IIS can put up the following
    >>>> message:
    >>>>
    >>>> Your Web site security may need to be tightened. To tighten
    >>>> security as much as possible for your Web sites, select "Fix this
    >>>> problem"
    >>>> Note: This message will re-appear even after your security
    >>>> is tightened.
    >>>>
    >>>> Perhaps an apt commentary on the security that IIS offers... :)
    >>>
    >>>IIS 6.0: 3 advisories since July 2003 http://secunia.com/product/1438/

    >>
    >> "Microsoft Internet Information Services (IIS) 6 with all vendor patches
    >> installed and all vendor workarounds applied, is currently affected by
    >> one or more Secunia advisories rated Moderately critical"
    >>
    >>>IIS 5.0: 4 advisories since July 2003 http://secunia.com/product/39/

    >>
    >> "Microsoft Internet Information Services (IIS) 5.x with all vendor
    >> patches installed and all vendor workarounds applied, is currently
    >> affected by one or more Secunia advisories rated Not critical"
    >>
    >>>Apache 2.0.x: 17 advisories since July 2003 http://secunia.com/product/73/

    >>
    >> "Apache 2.0.x with all vendor patches installed and all vendor
    >> workarounds applied, is currently affected by one or more Secunia
    >> advisories rated Less critical"
    >>
    >>>Apache 1.3.x: 10 advisories since July 2003 http://secunia.com/product/72/

    >>
    >> "Apache 1.3.x with all vendor patches installed and all vendor
    >> workarounds applied, is currently affected by one or more Secunia
    >> advisories rated Less critical"
    >>
    >> So the only one which achieves the worst rating is a Microsoft product.
    >> Surprised?

    >
    >I like the way you gloss over the fact that the latest version of Apache has
    >been affected by TRIPLE the number of advisories that the latest version of
    >IIS has.


    It's a question of quantity versus quality, isn't it? None of those
    Apache vulnerabilities has ever been on the order of, say being able to
    get root access to a machine. As has happened with IIS more than once.

    >It might pay for you to check out http://www.zone-h.org/en/stats to
    >see the latest website defacement numbers. Apache server truly is a patchy
    >server.


    Hmm, a bit slow to access that site--they're not running IIS, by any
    chance?

    I'm not so sure about those statistics. Given the predominance of Apache
    on the Web, I think it's underrepresented in terms of numbers of
    (successful) attacks.
     
    Lawrence D¹Oliveiro, May 4, 2005
    #5
  6. Lawrence D¹Oliveiro

    Chris Hope Guest

    Lawrence D¹Oliveiro wrote:

    [snip]

    >>It might pay for you to check out http://www.zone-h.org/en/stats to
    >>see the latest website defacement numbers. Apache server truly is a
    >>patchy server.

    >
    > Hmm, a bit slow to access that site--they're not running IIS, by any
    > chance?


    They're running Apache on OpenVMS
    http://uptime.netcraft.com/up/graph?site=www.zone-h.org

    It does pay to check things before making comments about speed vs web
    server and operating system ;)

    You're right about it being slow. I get the front page pretty quick but
    after a minute I still haven't got anything from that stats page.

    --
    Chris Hope | www.electrictoolbox.com | www.linuxcdmall.co.nz
     
    Chris Hope, May 4, 2005
    #6
  7. Lawrence D¹Oliveiro

    newsgroupie Guest

    "Lawrence D¹Oliveiro" <_zealand> wrote in message
    news:...
    > In article <SUZde.3584$>,
    > "newsgroupie" <> wrote:
    >
    >>"Lawrence D¹Oliveiro" <_zealand> wrote in message
    >>news:...
    >>> In article <lDYde.3563$>,
    >>> "newsgroupie" <> wrote:
    >>>
    >>>>"Lawrence D¹Oliveiro" <_zealand> wrote in
    >>>>message
    >>>>news:...
    >>>>> New Scientist reports that Microsoft IIS can put up the following
    >>>>> message:
    >>>>>
    >>>>> Your Web site security may need to be tightened. To tighten
    >>>>> security as much as possible for your Web sites, select "Fix this
    >>>>> problem"
    >>>>> Note: This message will re-appear even after your security
    >>>>> is tightened.
    >>>>>
    >>>>> Perhaps an apt commentary on the security that IIS offers... :)
    >>>>
    >>>>IIS 6.0: 3 advisories since July 2003 http://secunia.com/product/1438/
    >>>
    >>> "Microsoft Internet Information Services (IIS) 6 with all vendor patches
    >>> installed and all vendor workarounds applied, is currently affected by
    >>> one or more Secunia advisories rated Moderately critical"
    >>>
    >>>>IIS 5.0: 4 advisories since July 2003 http://secunia.com/product/39/
    >>>
    >>> "Microsoft Internet Information Services (IIS) 5.x with all vendor
    >>> patches installed and all vendor workarounds applied, is currently
    >>> affected by one or more Secunia advisories rated Not critical"
    >>>
    >>>>Apache 2.0.x: 17 advisories since July 2003
    >>>>http://secunia.com/product/73/
    >>>
    >>> "Apache 2.0.x with all vendor patches installed and all vendor
    >>> workarounds applied, is currently affected by one or more Secunia
    >>> advisories rated Less critical"
    >>>
    >>>>Apache 1.3.x: 10 advisories since July 2003
    >>>>http://secunia.com/product/72/
    >>>
    >>> "Apache 1.3.x with all vendor patches installed and all vendor
    >>> workarounds applied, is currently affected by one or more Secunia
    >>> advisories rated Less critical"
    >>>
    >>> So the only one which achieves the worst rating is a Microsoft product.
    >>> Surprised?

    >>
    >>I like the way you gloss over the fact that the latest version of Apache
    >>has
    >>been affected by TRIPLE the number of advisories that the latest version
    >>of
    >>IIS has.

    >
    > It's a question of quantity versus quality, isn't it? None of those
    > Apache vulnerabilities has ever been on the order of, say being able to
    > get root access to a machine. As has happened with IIS more than once.
    >
    >>It might pay for you to check out http://www.zone-h.org/en/stats to
    >>see the latest website defacement numbers. Apache server truly is a patchy
    >>server.

    >
    > Hmm, a bit slow to access that site--they're not running IIS, by any
    > chance?
    >
    > I'm not so sure about those statistics. Given the predominance of Apache
    > on the Web, I think it's underrepresented in terms of numbers of
    > (successful) attacks.


    http://toolbar.netcraft.com/site_report?url=http://zone-h.org says that
    Zone-H is running on "Apache/1.3.20 OpenVMS mod_perl/1.21"

    Rather than rely on your 'invented here' concepts on how to rate security
    vulnerabilities I'll stick with Secunia. Just for the record here's the
    stat's from 2003 to 2005 of the total number of advisories / how many of
    those advisories were "extremely" or "highly" critical / how many were
    remotely exploitable / how many allowed system access:

    IIS 6.0 3 advisories / 0 / 3 / 0
    IIS 5.0 7 advisories / 3 / 7 / 2
    Apache 2.0 22 advisories / 1 / 17 / 4
    Apache 1.3.x 12 advistories / 1 / 9 / 2

    The way I read the numbers above the *latest* version of Apache is a far
    shittier piece of code than the *old* version of IIS, IIS 6.0 is light years
    ahead of Apache 2.0 on every count and people running Apache 2.0 should
    seriously consider rolling back to 1.3.x
     
    newsgroupie, May 4, 2005
    #7
  8. Lawrence D¹Oliveiro

    Chris Hope Guest

    newsgroupie wrote:

    > "Lawrence D¹Oliveiro" <_zealand> wrote in
    > message news:...
    >> In article <SUZde.3584$>,
    >> "newsgroupie" <> wrote:
    >>
    >>>"Lawrence D¹Oliveiro" <_zealand> wrote in
    >>>message news:...
    >>>> In article <lDYde.3563$>,
    >>>> "newsgroupie" <> wrote:
    >>>>
    >>>>>"Lawrence D¹Oliveiro" <_zealand> wrote in
    >>>>>message
    >>>>>news:...
    >>>>>> New Scientist reports that Microsoft IIS can put up the following
    >>>>>> message:
    >>>>>>
    >>>>>> Your Web site security may need to be tightened. To tighten
    >>>>>> security as much as possible for your Web sites, select "Fix
    >>>>>> this problem"
    >>>>>> Note: This message will re-appear even after your security
    >>>>>> is tightened.
    >>>>>>
    >>>>>> Perhaps an apt commentary on the security that IIS offers... :)
    >>>>>
    >>>>>IIS 6.0: 3 advisories since July 2003
    >>>>>http://secunia.com/product/1438/
    >>>>
    >>>> "Microsoft Internet Information Services (IIS) 6 with all vendor
    >>>> patches installed and all vendor workarounds applied, is currently
    >>>> affected by one or more Secunia advisories rated Moderately
    >>>> critical"
    >>>>
    >>>>>IIS 5.0: 4 advisories since July 2003
    >>>>>http://secunia.com/product/39/
    >>>>
    >>>> "Microsoft Internet Information Services (IIS) 5.x with all vendor
    >>>> patches installed and all vendor workarounds applied, is currently
    >>>> affected by one or more Secunia advisories rated Not critical"
    >>>>
    >>>>>Apache 2.0.x: 17 advisories since July 2003
    >>>>>http://secunia.com/product/73/
    >>>>
    >>>> "Apache 2.0.x with all vendor patches installed and all vendor
    >>>> workarounds applied, is currently affected by one or more Secunia
    >>>> advisories rated Less critical"
    >>>>
    >>>>>Apache 1.3.x: 10 advisories since July 2003
    >>>>>http://secunia.com/product/72/
    >>>>
    >>>> "Apache 1.3.x with all vendor patches installed and all vendor
    >>>> workarounds applied, is currently affected by one or more Secunia
    >>>> advisories rated Less critical"
    >>>>
    >>>> So the only one which achieves the worst rating is a Microsoft
    >>>> product. Surprised?
    >>>
    >>>I like the way you gloss over the fact that the latest version of
    >>>Apache has
    >>>been affected by TRIPLE the number of advisories that the latest
    >>>version of
    >>>IIS has.

    >>
    >> It's a question of quantity versus quality, isn't it? None of those
    >> Apache vulnerabilities has ever been on the order of, say being able
    >> to get root access to a machine. As has happened with IIS more than
    >> once.
    >>
    >>>It might pay for you to check out http://www.zone-h.org/en/stats to
    >>>see the latest website defacement numbers. Apache server truly is a
    >>>patchy server.

    >>
    >> Hmm, a bit slow to access that site--they're not running IIS, by any
    >> chance?
    >>
    >> I'm not so sure about those statistics. Given the predominance of
    >> Apache on the Web, I think it's underrepresented in terms of numbers
    >> of (successful) attacks.

    >
    > http://toolbar.netcraft.com/site_report?url=http://zone-h.org says
    > that Zone-H is running on "Apache/1.3.20 OpenVMS mod_perl/1.21"
    >
    > Rather than rely on your 'invented here' concepts on how to rate
    > security vulnerabilities I'll stick with Secunia. Just for the record
    > here's the stat's from 2003 to 2005 of the total number of advisories
    > / how many of those advisories were "extremely" or "highly" critical /
    > how many were remotely exploitable / how many allowed system access:
    >
    > IIS 6.0 3 advisories / 0 / 3 / 0
    > IIS 5.0 7 advisories / 3 / 7 / 2
    > Apache 2.0 22 advisories / 1 / 17 / 4
    > Apache 1.3.x 12 advistories / 1 / 9 / 2
    >
    > The way I read the numbers above the *latest* version of Apache is a
    > far shittier piece of code than the *old* version of IIS, IIS 6.0 is
    > light years ahead of Apache 2.0 on every count and people running
    > Apache 2.0 should seriously consider rolling back to 1.3.x


    While Lawrence was a bit daft in his assessment of that particular
    server just cos the script was slow, it's all very well comparing
    vulnerabilities on the *number* of advisories... how about looking at
    what the advisories were actually about. I haven't checked myself and
    maybe the Apache ones are all bad but it often tends to be the case
    that they're all pretty minor. Again I can't speak for the IIS ones as
    they may be all minor as well. However I do remember a while back MS
    counting a security advisory about Linux when you had to actually
    insert a CD with the bad code into the CD drive for it to actually
    cause the vulnerability. Seems like a pretty hard one to execute on a
    remote machine, which is what most of us are concerned about.

    --
    Chris Hope | www.electrictoolbox.com | www.linuxcdmall.co.nz
     
    Chris Hope, May 4, 2005
    #8
  9. Lawrence D¹Oliveiro

    newsgroupie Guest

    "newsgroupie" <> wrote in message
    news:TQ_de.3610$...
    > "Lawrence D¹Oliveiro" <_zealand> wrote in message
    > news:...
    >> In article <SUZde.3584$>,
    >> "newsgroupie" <> wrote:
    >>
    >>>"Lawrence D¹Oliveiro" <_zealand> wrote in message
    >>>news:...
    >>>> In article <lDYde.3563$>,
    >>>> "newsgroupie" <> wrote:
    >>>>
    >>>>>"Lawrence D¹Oliveiro" <_zealand> wrote in
    >>>>>message
    >>>>>news:...
    >>>>>> New Scientist reports that Microsoft IIS can put up the following
    >>>>>> message:
    >>>>>>
    >>>>>> Your Web site security may need to be tightened. To tighten
    >>>>>> security as much as possible for your Web sites, select "Fix this
    >>>>>> problem"
    >>>>>> Note: This message will re-appear even after your security
    >>>>>> is tightened.
    >>>>>>
    >>>>>> Perhaps an apt commentary on the security that IIS offers... :)
    >>>>>
    >>>>>IIS 6.0: 3 advisories since July 2003 http://secunia.com/product/1438/
    >>>>
    >>>> "Microsoft Internet Information Services (IIS) 6 with all vendor
    >>>> patches
    >>>> installed and all vendor workarounds applied, is currently affected by
    >>>> one or more Secunia advisories rated Moderately critical"
    >>>>
    >>>>>IIS 5.0: 4 advisories since July 2003 http://secunia.com/product/39/
    >>>>
    >>>> "Microsoft Internet Information Services (IIS) 5.x with all vendor
    >>>> patches installed and all vendor workarounds applied, is currently
    >>>> affected by one or more Secunia advisories rated Not critical"
    >>>>
    >>>>>Apache 2.0.x: 17 advisories since July 2003
    >>>>>http://secunia.com/product/73/
    >>>>
    >>>> "Apache 2.0.x with all vendor patches installed and all vendor
    >>>> workarounds applied, is currently affected by one or more Secunia
    >>>> advisories rated Less critical"
    >>>>
    >>>>>Apache 1.3.x: 10 advisories since July 2003
    >>>>>http://secunia.com/product/72/
    >>>>
    >>>> "Apache 1.3.x with all vendor patches installed and all vendor
    >>>> workarounds applied, is currently affected by one or more Secunia
    >>>> advisories rated Less critical"
    >>>>
    >>>> So the only one which achieves the worst rating is a Microsoft product.
    >>>> Surprised?
    >>>
    >>>I like the way you gloss over the fact that the latest version of Apache
    >>>has
    >>>been affected by TRIPLE the number of advisories that the latest version
    >>>of
    >>>IIS has.

    >>
    >> It's a question of quantity versus quality, isn't it? None of those
    >> Apache vulnerabilities has ever been on the order of, say being able to
    >> get root access to a machine. As has happened with IIS more than once.
    >>
    >>>It might pay for you to check out http://www.zone-h.org/en/stats to
    >>>see the latest website defacement numbers. Apache server truly is a
    >>>patchy
    >>>server.

    >>
    >> Hmm, a bit slow to access that site--they're not running IIS, by any
    >> chance?
    >>
    >> I'm not so sure about those statistics. Given the predominance of Apache
    >> on the Web, I think it's underrepresented in terms of numbers of
    >> (successful) attacks.

    >
    > http://toolbar.netcraft.com/site_report?url=http://zone-h.org says that
    > Zone-H is running on "Apache/1.3.20 OpenVMS mod_perl/1.21"
    >
    > Rather than rely on your 'invented here' concepts on how to rate security
    > vulnerabilities I'll stick with Secunia. Just for the record here's the
    > stat's from 2003 to 2005 of the total number of advisories / how many of
    > those advisories were "extremely" or "highly" critical / how many were
    > remotely exploitable / how many allowed system access:
    >
    > IIS 6.0 3 advisories / 0 / 3 / 0
    > IIS 5.0 7 advisories / 3 / 7 / 2
    > Apache 2.0 22 advisories / 1 / 17 / 4
    > Apache 1.3.x 12 advistories / 1 / 9 / 2
    >
    > The way I read the numbers above the *latest* version of Apache is a far
    > shittier piece of code than the *old* version of IIS, IIS 6.0 is light
    > years ahead of Apache 2.0 on every count and people running Apache 2.0
    > should seriously consider rolling back to 1.3.x
    >


    Or maybe I should just say that Apache 2.0 has had 633% more advisories than
    IIS6.0 and 214% more than IIS5.0, that seems like a fair assessment to me
    :^)

    Anyway Lawrence , what was it you were saying about the security of IIS ?
     
    newsgroupie, May 4, 2005
    #9
  10. Lawrence D¹Oliveiro

    newsgroupie Guest

    "Chris Hope" <> wrote in message
    news:d59tus$6np$...
    newsgroupie wrote:

    > "Lawrence D¹Oliveiro" <_zealand> wrote in
    > message news:...
    >> In article <SUZde.3584$>,
    >> "newsgroupie" <> wrote:
    >>
    >>>"Lawrence D¹Oliveiro" <_zealand> wrote in
    >>>message news:...
    >>>> In article <lDYde.3563$>,
    >>>> "newsgroupie" <> wrote:
    >>>>
    >>>>>"Lawrence D¹Oliveiro" <_zealand> wrote in
    >>>>>message
    >>>>>news:...
    >>>>>> New Scientist reports that Microsoft IIS can put up the following
    >>>>>> message:
    >>>>>>
    >>>>>> Your Web site security may need to be tightened. To tighten
    >>>>>> security as much as possible for your Web sites, select "Fix
    >>>>>> this problem"
    >>>>>> Note: This message will re-appear even after your security
    >>>>>> is tightened.
    >>>>>>
    >>>>>> Perhaps an apt commentary on the security that IIS offers... :)
    >>>>>
    >>>>>IIS 6.0: 3 advisories since July 2003
    >>>>>http://secunia.com/product/1438/
    >>>>
    >>>> "Microsoft Internet Information Services (IIS) 6 with all vendor
    >>>> patches installed and all vendor workarounds applied, is currently
    >>>> affected by one or more Secunia advisories rated Moderately
    >>>> critical"
    >>>>
    >>>>>IIS 5.0: 4 advisories since July 2003
    >>>>>http://secunia.com/product/39/
    >>>>
    >>>> "Microsoft Internet Information Services (IIS) 5.x with all vendor
    >>>> patches installed and all vendor workarounds applied, is currently
    >>>> affected by one or more Secunia advisories rated Not critical"
    >>>>
    >>>>>Apache 2.0.x: 17 advisories since July 2003
    >>>>>http://secunia.com/product/73/
    >>>>
    >>>> "Apache 2.0.x with all vendor patches installed and all vendor
    >>>> workarounds applied, is currently affected by one or more Secunia
    >>>> advisories rated Less critical"
    >>>>
    >>>>>Apache 1.3.x: 10 advisories since July 2003
    >>>>>http://secunia.com/product/72/
    >>>>
    >>>> "Apache 1.3.x with all vendor patches installed and all vendor
    >>>> workarounds applied, is currently affected by one or more Secunia
    >>>> advisories rated Less critical"
    >>>>
    >>>> So the only one which achieves the worst rating is a Microsoft
    >>>> product. Surprised?
    >>>
    >>>I like the way you gloss over the fact that the latest version of
    >>>Apache has
    >>>been affected by TRIPLE the number of advisories that the latest
    >>>version of
    >>>IIS has.

    >>
    >> It's a question of quantity versus quality, isn't it? None of those
    >> Apache vulnerabilities has ever been on the order of, say being able
    >> to get root access to a machine. As has happened with IIS more than
    >> once.
    >>
    >>>It might pay for you to check out http://www.zone-h.org/en/stats to
    >>>see the latest website defacement numbers. Apache server truly is a
    >>>patchy server.

    >>
    >> Hmm, a bit slow to access that site--they're not running IIS, by any
    >> chance?
    >>
    >> I'm not so sure about those statistics. Given the predominance of
    >> Apache on the Web, I think it's underrepresented in terms of numbers
    >> of (successful) attacks.

    >
    > http://toolbar.netcraft.com/site_report?url=http://zone-h.org says
    > that Zone-H is running on "Apache/1.3.20 OpenVMS mod_perl/1.21"
    >
    > Rather than rely on your 'invented here' concepts on how to rate
    > security vulnerabilities I'll stick with Secunia. Just for the record
    > here's the stat's from 2003 to 2005 of the total number of advisories
    > / how many of those advisories were "extremely" or "highly" critical /
    > how many were remotely exploitable / how many allowed system access:
    >
    > IIS 6.0 3 advisories / 0 / 3 / 0
    > IIS 5.0 7 advisories / 3 / 7 / 2
    > Apache 2.0 22 advisories / 1 / 17 / 4
    > Apache 1.3.x 12 advistories / 1 / 9 / 2
    >
    > The way I read the numbers above the *latest* version of Apache is a
    > far shittier piece of code than the *old* version of IIS, IIS 6.0 is
    > light years ahead of Apache 2.0 on every count and people running
    > Apache 2.0 should seriously consider rolling back to 1.3.x


    While Lawrence was a bit daft in his assessment of that particular
    server just cos the script was slow, it's all very well comparing
    vulnerabilities on the *number* of advisories... how about looking at
    what the advisories were actually about. I haven't checked myself and
    maybe the Apache ones are all bad but it often tends to be the case
    that they're all pretty minor. Again I can't speak for the IIS ones as
    they may be all minor as well. However I do remember a while back MS
    counting a security advisory about Linux when you had to actually
    insert a CD with the bad code into the CD drive for it to actually
    cause the vulnerability. Seems like a pretty hard one to execute on a
    remote machine, which is what most of us are concerned about.

    --
    Chris Hope | www.electrictoolbox.com | www.linuxcdmall.co.nz

    That's exactly what I did with my numbers above. You really should go and
    check out the Secunia numbers for yourself, no matter which way you slice
    and dice them Apache comes out 2nd best. WRT your comment about the "insert
    a CD" bug, I'm relying on experts (i.e. Secunia) to do the analysis for me.
    I suspect that if you use CERT data or any of the others that the numbers
    will be very similar. If it walks like a duck and quacks like a duck it's
    probably a duck. Apache is an inferior product.
     
    newsgroupie, May 4, 2005
    #10
  11. Lawrence D¹Oliveiro

    Chris Hope Guest

    Chris Hope wrote:

    > newsgroupie wrote:
    >
    >> "Lawrence D¹Oliveiro" <_zealand> wrote in
    >> message news:...
    >>> In article <SUZde.3584$>,
    >>> "newsgroupie" <> wrote:
    >>>
    >>>>"Lawrence D¹Oliveiro" <_zealand> wrote in
    >>>>message news:...
    >>>>> In article <lDYde.3563$>,
    >>>>> "newsgroupie" <> wrote:
    >>>>>
    >>>>>>"Lawrence D¹Oliveiro" <_zealand> wrote in
    >>>>>>message
    >>>>>>news:...
    >>>>>>> New Scientist reports that Microsoft IIS can put up the
    >>>>>>> following message:
    >>>>>>>
    >>>>>>> Your Web site security may need to be tightened. To tighten
    >>>>>>> security as much as possible for your Web sites, select "Fix
    >>>>>>> this problem"
    >>>>>>> Note: This message will re-appear even after your security
    >>>>>>> is tightened.
    >>>>>>>
    >>>>>>> Perhaps an apt commentary on the security that IIS offers... :)
    >>>>>>
    >>>>>>IIS 6.0: 3 advisories since July 2003
    >>>>>>http://secunia.com/product/1438/
    >>>>>
    >>>>> "Microsoft Internet Information Services (IIS) 6 with all vendor
    >>>>> patches installed and all vendor workarounds applied, is currently
    >>>>> affected by one or more Secunia advisories rated Moderately
    >>>>> critical"
    >>>>>
    >>>>>>IIS 5.0: 4 advisories since July 2003
    >>>>>>http://secunia.com/product/39/
    >>>>>
    >>>>> "Microsoft Internet Information Services (IIS) 5.x with all vendor
    >>>>> patches installed and all vendor workarounds applied, is currently
    >>>>> affected by one or more Secunia advisories rated Not critical"
    >>>>>
    >>>>>>Apache 2.0.x: 17 advisories since July 2003
    >>>>>>http://secunia.com/product/73/
    >>>>>
    >>>>> "Apache 2.0.x with all vendor patches installed and all vendor
    >>>>> workarounds applied, is currently affected by one or more Secunia
    >>>>> advisories rated Less critical"
    >>>>>
    >>>>>>Apache 1.3.x: 10 advisories since July 2003
    >>>>>>http://secunia.com/product/72/
    >>>>>
    >>>>> "Apache 1.3.x with all vendor patches installed and all vendor
    >>>>> workarounds applied, is currently affected by one or more Secunia
    >>>>> advisories rated Less critical"
    >>>>>
    >>>>> So the only one which achieves the worst rating is a Microsoft
    >>>>> product. Surprised?
    >>>>
    >>>>I like the way you gloss over the fact that the latest version of
    >>>>Apache has
    >>>>been affected by TRIPLE the number of advisories that the latest
    >>>>version of
    >>>>IIS has.
    >>>
    >>> It's a question of quantity versus quality, isn't it? None of those
    >>> Apache vulnerabilities has ever been on the order of, say being able
    >>> to get root access to a machine. As has happened with IIS more than
    >>> once.
    >>>
    >>>>It might pay for you to check out http://www.zone-h.org/en/stats to
    >>>>see the latest website defacement numbers. Apache server truly is a
    >>>>patchy server.
    >>>
    >>> Hmm, a bit slow to access that site--they're not running IIS, by any
    >>> chance?
    >>>
    >>> I'm not so sure about those statistics. Given the predominance of
    >>> Apache on the Web, I think it's underrepresented in terms of numbers
    >>> of (successful) attacks.

    >>
    >> http://toolbar.netcraft.com/site_report?url=http://zone-h.org says
    >> that Zone-H is running on "Apache/1.3.20 OpenVMS mod_perl/1.21"
    >>
    >> Rather than rely on your 'invented here' concepts on how to rate
    >> security vulnerabilities I'll stick with Secunia. Just for the record
    >> here's the stat's from 2003 to 2005 of the total number of advisories
    >> / how many of those advisories were "extremely" or "highly" critical
    >> / how many were remotely exploitable / how many allowed system
    >> access:
    >>
    >> IIS 6.0 3 advisories / 0 / 3 / 0
    >> IIS 5.0 7 advisories / 3 / 7 / 2
    >> Apache 2.0 22 advisories / 1 / 17 / 4
    >> Apache 1.3.x 12 advistories / 1 / 9 / 2
    >>
    >> The way I read the numbers above the *latest* version of Apache is a
    >> far shittier piece of code than the *old* version of IIS, IIS 6.0 is
    >> light years ahead of Apache 2.0 on every count and people running
    >> Apache 2.0 should seriously consider rolling back to 1.3.x

    >
    > While Lawrence was a bit daft in his assessment of that particular
    > server just cos the script was slow, it's all very well comparing
    > vulnerabilities on the *number* of advisories... how about looking at
    > what the advisories were actually about. I haven't checked myself and
    > maybe the Apache ones are all bad but it often tends to be the case
    > that they're all pretty minor. Again I can't speak for the IIS ones as
    > they may be all minor as well. However I do remember a while back MS
    > counting a security advisory about Linux when you had to actually
    > insert a CD with the bad code into the CD drive for it to actually
    > cause the vulnerability. Seems like a pretty hard one to execute on a
    > remote machine, which is what most of us are concerned about.


    Hmm actually now I've re-read your message and it *does* make Apache
    look pretty bad... I'd be interested now to go have a look and see what
    all those critical advisories are all about.

    --
    Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com
     
    Chris Hope, May 4, 2005
    #11
  12. In article <d59rp5$2it$>,
    Chris Hope <> wrote:

    >Lawrence D¹Oliveiro wrote:
    >
    >[snip]
    >
    >>>It might pay for you to check out http://www.zone-h.org/en/stats to
    >>>see the latest website defacement numbers. Apache server truly is a
    >>>patchy server.

    >>
    >> Hmm, a bit slow to access that site--they're not running IIS, by any
    >> chance?

    >
    >They're running Apache on OpenVMS


    And there's something wrong about making fun of that? :)
     
    Lawrence D¹Oliveiro, May 4, 2005
    #12
  13. In article <TQ_de.3610$>,
    "newsgroupie" <> wrote:

    >Rather than rely on your 'invented here' concepts on how to rate security
    >vulnerabilities I'll stick with Secunia. Just for the record here's the
    >stat's from 2003 to 2005 of the total number of advisories / how many of
    >those advisories were "extremely" or "highly" critical / how many were
    >remotely exploitable / how many allowed system access:


    That's different from the previous page you quoted. The first page, as I
    recall, mentioned vulnerabilities that remained unpatched, and on those,
    IIS 6.0 came out worst. Your above comments relate to vulnerabilities
    that have already been patched.
     
    Lawrence D¹Oliveiro, May 4, 2005
    #13
  14. Lawrence D¹Oliveiro

    Chris Hope Guest

    Lawrence D¹Oliveiro wrote:

    > In article <d59rp5$2it$>,
    > Chris Hope <> wrote:
    >
    >>Lawrence D¹Oliveiro wrote:
    >>
    >>[snip]
    >>
    >>>>It might pay for you to check out http://www.zone-h.org/en/stats to
    >>>>see the latest website defacement numbers. Apache server truly is a
    >>>>patchy server.
    >>>
    >>> Hmm, a bit slow to access that site--they're not running IIS, by any
    >>> chance?

    >>
    >>They're running Apache on OpenVMS

    >
    > And there's something wrong about making fun of that? :)


    You weren't making fun of that. You were making out like it must be
    using IIS cos the script was slow.

    --
    Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com
     
    Chris Hope, May 4, 2005
    #14
  15. Lawrence D¹Oliveiro

    newsgroupie Guest

    "Lawrence D¹Oliveiro" <_zealand> wrote in message
    news:...
    > In article <TQ_de.3610$>,
    > "newsgroupie" <> wrote:
    >
    >>Rather than rely on your 'invented here' concepts on how to rate security
    >>vulnerabilities I'll stick with Secunia. Just for the record here's the
    >>stat's from 2003 to 2005 of the total number of advisories / how many of
    >>those advisories were "extremely" or "highly" critical / how many were
    >>remotely exploitable / how many allowed system access:

    >
    > That's different from the previous page you quoted. The first page, as I
    > recall, mentioned vulnerabilities that remained unpatched, and on those,
    > IIS 6.0 came out worst. Your above comments relate to vulnerabilities
    > that have already been patched.


    Currently unpatched vulnerabilities:

    IIS6.0 1
    IIS5.0 1
    Apache 2.0 2
    Apache 1.3.x 1

    Seems like Apache 2.0 loses again
     
    newsgroupie, May 4, 2005
    #15
  16. In article <qH%de.3634$>,
    "newsgroupie" <> wrote:

    >"Lawrence D¹Oliveiro" <_zealand> wrote in message
    >news:...
    >> In article <TQ_de.3610$>,
    >> "newsgroupie" <> wrote:
    >>
    >>>Rather than rely on your 'invented here' concepts on how to rate security
    >>>vulnerabilities I'll stick with Secunia. Just for the record here's the
    >>>stat's from 2003 to 2005 of the total number of advisories / how many of
    >>>those advisories were "extremely" or "highly" critical / how many were
    >>>remotely exploitable / how many allowed system access:

    >>
    >> That's different from the previous page you quoted. The first page, as I
    >> recall, mentioned vulnerabilities that remained unpatched, and on those,
    >> IIS 6.0 came out worst. Your above comments relate to vulnerabilities
    >> that have already been patched.

    >
    >Currently unpatched vulnerabilities:
    >
    >IIS6.0 1
    >IIS5.0 1
    >Apache 2.0 2
    >Apache 1.3.x 1
    >
    >Seems like Apache 2.0 loses again


    Reference?
     
    Lawrence D¹Oliveiro, May 5, 2005
    #16
  17. In article <d5a0m2$cc9$>,
    Chris Hope <> wrote:

    >Lawrence D¹Oliveiro wrote:
    >
    >> In article <d59rp5$2it$>,
    >> Chris Hope <> wrote:
    >>
    >>>Lawrence D¹Oliveiro wrote:
    >>>>
    >>>> Hmm, a bit slow to access that site--they're not running IIS, by any
    >>>> chance?
    >>>
    >>>They're running Apache on OpenVMS

    >>
    >> And there's something wrong about making fun of that? :)

    >
    >You weren't making fun of that. You were making out like it must be
    >using IIS cos the script was slow.


    OK, so it turns out there's another OS/Web Server combination that's as
    bad as IIS/Windows. :)
     
    Lawrence D¹Oliveiro, May 5, 2005
    #17
  18. Lawrence D¹Oliveiro

    Chris Hope Guest

    Lawrence D¹Oliveiro wrote:

    > In article <d5a0m2$cc9$>,
    > Chris Hope <> wrote:
    >
    >>Lawrence D¹Oliveiro wrote:
    >>
    >>> In article <d59rp5$2it$>,
    >>> Chris Hope <> wrote:
    >>>
    >>>>Lawrence D¹Oliveiro wrote:
    >>>>>
    >>>>> Hmm, a bit slow to access that site--they're not running IIS, by
    >>>>> any chance?
    >>>>
    >>>>They're running Apache on OpenVMS
    >>>
    >>> And there's something wrong about making fun of that? :)

    >>
    >>You weren't making fun of that. You were making out like it must be
    >>using IIS cos the script was slow.

    >
    > OK, so it turns out there's another OS/Web Server combination that's
    > as bad as IIS/Windows. :)


    Have you not heard of OpenVMS? It's one of the most stable, secure and
    scalable operating systems. There's a big difference between a bad os &
    web server, and a bad script or poorly indexed database. I could just
    as easily write scripts that tie up an Apache/Linux/MySQL machine as I
    could one that would tie up a IIS/Windows/MSSQL one.

    --
    Chris Hope | www.electrictoolbox.com | www.linuxcdmall.co.nz
     
    Chris Hope, May 5, 2005
    #18
  19. Lawrence D¹Oliveiro

    newsgroupie Guest

    "Lawrence D¹Oliveiro" <_zealand> wrote in message
    news:...
    > In article <qH%de.3634$>,
    > "newsgroupie" <> wrote:
    >
    >>"Lawrence D¹Oliveiro" <_zealand> wrote in message
    >>news:...
    >>> In article <TQ_de.3610$>,
    >>> "newsgroupie" <> wrote:
    >>>
    >>>>Rather than rely on your 'invented here' concepts on how to rate
    >>>>security
    >>>>vulnerabilities I'll stick with Secunia. Just for the record here's the
    >>>>stat's from 2003 to 2005 of the total number of advisories / how many of
    >>>>those advisories were "extremely" or "highly" critical / how many were
    >>>>remotely exploitable / how many allowed system access:
    >>>
    >>> That's different from the previous page you quoted. The first page, as I
    >>> recall, mentioned vulnerabilities that remained unpatched, and on those,
    >>> IIS 6.0 came out worst. Your above comments relate to vulnerabilities
    >>> that have already been patched.

    >>
    >>Currently unpatched vulnerabilities:
    >>
    >>IIS6.0 1
    >>IIS5.0 1
    >>Apache 2.0 2
    >>Apache 1.3.x 1
    >>
    >>Seems like Apache 2.0 loses again

    >
    > Reference?


    The first pie chart on each of the following pages:

    IIS 6.0 http://secunia.com/product/1438/

    IIS 5.0 http://secunia.com/product/39/

    Apache 2.0.x http://secunia.com/product/73/

    Apache 1.3.x http://secunia.com/product/72/
     
    newsgroupie, May 5, 2005
    #19
  20. Lawrence D¹Oliveiro

    newsgroupie Guest

    "Lawrence D¹Oliveiro" <_zealand> wrote in message
    news:...
    > In article <d5a0m2$cc9$>,
    > Chris Hope <> wrote:
    >
    >>Lawrence D¹Oliveiro wrote:
    >>
    >>> In article <d59rp5$2it$>,
    >>> Chris Hope <> wrote:
    >>>
    >>>>Lawrence D¹Oliveiro wrote:
    >>>>>
    >>>>> Hmm, a bit slow to access that site--they're not running IIS, by any
    >>>>> chance?
    >>>>
    >>>>They're running Apache on OpenVMS
    >>>
    >>> And there's something wrong about making fun of that? :)

    >>
    >>You weren't making fun of that. You were making out like it must be
    >>using IIS cos the script was slow.

    >
    > OK, so it turns out there's another OS/Web Server combination that's as
    > bad as IIS/Windows. :)


    I disagree, the Secunia data quite clearly shows that Apache is inferior to
    IIS with regard to security and the zone-h stat's back this up. Sorry to
    shake your little world :^)
     
    newsgroupie, May 5, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. moe_rodrigue

    IIS 6.0 win2003, IIS users

    moe_rodrigue, Apr 1, 2004, in forum: MCSE
    Replies:
    1
    Views:
    1,085
    MikeF
    Apr 1, 2004
  2. Galpersonal
    Replies:
    8
    Views:
    1,048
    universal4
    Aug 13, 2006
  3. Peter

    Outlook Insecurity

    Peter, Oct 6, 2003, in forum: NZ Computing
    Replies:
    2
    Views:
    360
    Nathan Mercer
    Oct 6, 2003
  4. Lawrence D'Oliveiro

    Microsoft insecurity: it's all the ISVs' fault

    Lawrence D'Oliveiro, Nov 4, 2008, in forum: NZ Computing
    Replies:
    0
    Views:
    291
    Lawrence D'Oliveiro
    Nov 4, 2008
  5. Lawrence D'Oliveiro

    Group Policy Insecurity

    Lawrence D'Oliveiro, Aug 1, 2009, in forum: NZ Computing
    Replies:
    1
    Views:
    298
    Gordon
    Aug 2, 2009
Loading...

Share This Page