Microsoft IIS insecurity

Discussion in 'NZ Computing' started by Lawrence D¹Oliveiro, May 3, 2005.

  1. New Scientist reports that Microsoft IIS can put up the following
    message:

    Your Web site security may need to be tightened. To tighten
    security as much as possible for your Web sites, select "Fix this
    problem"
    Note: This message will re-appear even after your security
    is tightened.

    Perhaps an apt commentary on the security that IIS offers... :)
     
    Lawrence D¹Oliveiro, May 3, 2005
    #1
    1. Advertisements

  2. Lawrence D¹Oliveiro

    newsgroupie Guest

    IIS 6.0: 3 advisories since July 2003 http://secunia.com/product/1438/

    IIS 5.0: 4 advisories since July 2003 http://secunia.com/product/39/

    Apache 2.0.x: 17 advisories since July 2003 http://secunia.com/product/73/

    Apache 1.3.x: 10 advisories since July 2003 http://secunia.com/product/72/
     
    newsgroupie, May 4, 2005
    #2
    1. Advertisements

  3. "Microsoft Internet Information Services (IIS) 6 with all vendor patches
    installed and all vendor workarounds applied, is currently affected by
    one or more Secunia advisories rated Moderately critical"
    "Microsoft Internet Information Services (IIS) 5.x with all vendor
    patches installed and all vendor workarounds applied, is currently
    affected by one or more Secunia advisories rated Not critical"
    "Apache 2.0.x with all vendor patches installed and all vendor
    workarounds applied, is currently affected by one or more Secunia
    advisories rated Less critical"
    "Apache 1.3.x with all vendor patches installed and all vendor
    workarounds applied, is currently affected by one or more Secunia
    advisories rated Less critical"

    So the only one which achieves the worst rating is a Microsoft product.
    Surprised?
     
    Lawrence D¹Oliveiro, May 4, 2005
    #3
  4. Lawrence D¹Oliveiro

    newsgroupie Guest

    I like the way you gloss over the fact that the latest version of Apache has
    been affected by TRIPLE the number of advisories that the latest version of
    IIS has. It might pay for you to check out http://www.zone-h.org/en/stats to
    see the latest website defacement numbers. Apache server truly is a patchy
    server.
     
    newsgroupie, May 4, 2005
    #4
  5. It's a question of quantity versus quality, isn't it? None of those
    Apache vulnerabilities has ever been on the order of, say being able to
    get root access to a machine. As has happened with IIS more than once.
    Hmm, a bit slow to access that site--they're not running IIS, by any
    chance?

    I'm not so sure about those statistics. Given the predominance of Apache
    on the Web, I think it's underrepresented in terms of numbers of
    (successful) attacks.
     
    Lawrence D¹Oliveiro, May 4, 2005
    #5
  6. Lawrence D¹Oliveiro

    Chris Hope Guest

    Lawrence D¹Oliveiro wrote:

    [snip]
    They're running Apache on OpenVMS
    http://uptime.netcraft.com/up/graph?site=www.zone-h.org

    It does pay to check things before making comments about speed vs web
    server and operating system ;)

    You're right about it being slow. I get the front page pretty quick but
    after a minute I still haven't got anything from that stats page.
     
    Chris Hope, May 4, 2005
    #6
  7. Lawrence D¹Oliveiro

    newsgroupie Guest

    http://toolbar.netcraft.com/site_report?url=http://zone-h.org says that
    Zone-H is running on "Apache/1.3.20 OpenVMS mod_perl/1.21"

    Rather than rely on your 'invented here' concepts on how to rate security
    vulnerabilities I'll stick with Secunia. Just for the record here's the
    stat's from 2003 to 2005 of the total number of advisories / how many of
    those advisories were "extremely" or "highly" critical / how many were
    remotely exploitable / how many allowed system access:

    IIS 6.0 3 advisories / 0 / 3 / 0
    IIS 5.0 7 advisories / 3 / 7 / 2
    Apache 2.0 22 advisories / 1 / 17 / 4
    Apache 1.3.x 12 advistories / 1 / 9 / 2

    The way I read the numbers above the *latest* version of Apache is a far
    shittier piece of code than the *old* version of IIS, IIS 6.0 is light years
    ahead of Apache 2.0 on every count and people running Apache 2.0 should
    seriously consider rolling back to 1.3.x
     
    newsgroupie, May 4, 2005
    #7
  8. Lawrence D¹Oliveiro

    Chris Hope Guest

    While Lawrence was a bit daft in his assessment of that particular
    server just cos the script was slow, it's all very well comparing
    vulnerabilities on the *number* of advisories... how about looking at
    what the advisories were actually about. I haven't checked myself and
    maybe the Apache ones are all bad but it often tends to be the case
    that they're all pretty minor. Again I can't speak for the IIS ones as
    they may be all minor as well. However I do remember a while back MS
    counting a security advisory about Linux when you had to actually
    insert a CD with the bad code into the CD drive for it to actually
    cause the vulnerability. Seems like a pretty hard one to execute on a
    remote machine, which is what most of us are concerned about.
     
    Chris Hope, May 4, 2005
    #8
  9. Lawrence D¹Oliveiro

    newsgroupie Guest

    Or maybe I should just say that Apache 2.0 has had 633% more advisories than
    IIS6.0 and 214% more than IIS5.0, that seems like a fair assessment to me
    :^)

    Anyway Lawrence , what was it you were saying about the security of IIS ?
     
    newsgroupie, May 4, 2005
    #9
  10. Lawrence D¹Oliveiro

    newsgroupie Guest

    While Lawrence was a bit daft in his assessment of that particular
    server just cos the script was slow, it's all very well comparing
    vulnerabilities on the *number* of advisories... how about looking at
    what the advisories were actually about. I haven't checked myself and
    maybe the Apache ones are all bad but it often tends to be the case
    that they're all pretty minor. Again I can't speak for the IIS ones as
    they may be all minor as well. However I do remember a while back MS
    counting a security advisory about Linux when you had to actually
    insert a CD with the bad code into the CD drive for it to actually
    cause the vulnerability. Seems like a pretty hard one to execute on a
    remote machine, which is what most of us are concerned about.

    --
    Chris Hope | www.electrictoolbox.com | www.linuxcdmall.co.nz

    That's exactly what I did with my numbers above. You really should go and
    check out the Secunia numbers for yourself, no matter which way you slice
    and dice them Apache comes out 2nd best. WRT your comment about the "insert
    a CD" bug, I'm relying on experts (i.e. Secunia) to do the analysis for me.
    I suspect that if you use CERT data or any of the others that the numbers
    will be very similar. If it walks like a duck and quacks like a duck it's
    probably a duck. Apache is an inferior product.
     
    newsgroupie, May 4, 2005
    #10
  11. Lawrence D¹Oliveiro

    Chris Hope Guest

    Hmm actually now I've re-read your message and it *does* make Apache
    look pretty bad... I'd be interested now to go have a look and see what
    all those critical advisories are all about.
     
    Chris Hope, May 4, 2005
    #11
  12. And there's something wrong about making fun of that? :)
     
    Lawrence D¹Oliveiro, May 4, 2005
    #12
  13. That's different from the previous page you quoted. The first page, as I
    recall, mentioned vulnerabilities that remained unpatched, and on those,
    IIS 6.0 came out worst. Your above comments relate to vulnerabilities
    that have already been patched.
     
    Lawrence D¹Oliveiro, May 4, 2005
    #13
  14. Lawrence D¹Oliveiro

    Chris Hope Guest

    You weren't making fun of that. You were making out like it must be
    using IIS cos the script was slow.
     
    Chris Hope, May 4, 2005
    #14
  15. Lawrence D¹Oliveiro

    newsgroupie Guest

    Currently unpatched vulnerabilities:

    IIS6.0 1
    IIS5.0 1
    Apache 2.0 2
    Apache 1.3.x 1

    Seems like Apache 2.0 loses again
     
    newsgroupie, May 4, 2005
    #15
  16. Reference?
     
    Lawrence D¹Oliveiro, May 5, 2005
    #16
  17. OK, so it turns out there's another OS/Web Server combination that's as
    bad as IIS/Windows. :)
     
    Lawrence D¹Oliveiro, May 5, 2005
    #17
  18. Lawrence D¹Oliveiro

    Chris Hope Guest

    Have you not heard of OpenVMS? It's one of the most stable, secure and
    scalable operating systems. There's a big difference between a bad os &
    web server, and a bad script or poorly indexed database. I could just
    as easily write scripts that tie up an Apache/Linux/MySQL machine as I
    could one that would tie up a IIS/Windows/MSSQL one.
     
    Chris Hope, May 5, 2005
    #18
  19. Lawrence D¹Oliveiro

    newsgroupie Guest

    newsgroupie, May 5, 2005
    #19
  20. Lawrence D¹Oliveiro

    newsgroupie Guest

    I disagree, the Secunia data quite clearly shows that Apache is inferior to
    IIS with regard to security and the zone-h stat's back this up. Sorry to
    shake your little world :^)
     
    newsgroupie, May 5, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.