Slashdot Mirror
Domain: secunia.com
Stories and comments across the archive that link to secunia.com.
Comments · 2,642
-
Re:Why would you think that?
IIS 6 has had only 3 vulnerabilities found since it's release in 2003: Look here.
Apache 2.0.x has had 31 vulnerabilities in the same time period: Here.
What were you saying again? -
SQL injection?
An article about a Wordpress vulnerability from last month sounded like a SQL injection flaw, and Secunia has a bunch listed here. Mostly DOS and cross-site scripting... plus some "unspecified"...
-
Re:Tried Google? You Must Be a N00b
Appearantly what you were looking at was an attempt by someone to discredit IIS 6.
Full Disclosure: IIS 6 Remote Buffer Overflow Exploit ????
Anyone can send an email into FULL DISCLOSURE, it doesn't mean their is any merit to his claim.
Do you see any published remotely executable exploits on secunia?
( http://secunia.com/product/1438/?task=advisories )
I see 3. One has a remotely executable vulnerability. BUT you have to turn on ASP to exploit the vulnerability.
Most organizations that are running IIS 6 are
Dont worry Kid.......it's OK to be a N00b.......Just dont talk shit when you dont know shit! -
Re:start here OR here!
-
Re:Tried Google?I don't consider a DOS an exploit. Like the article, we're talking about being able access the system. As it still stands per the article definition, there are no remote exploits for IIS6.0. Does this look like a DoS to you? Can the same be said about apache? This is not about httpd versus IIS 6. The statement was that there were no remote exploits for IIS 6 and it appears that there is evidence to the contrary.
-
Re:Tried Google?There aren't any remote exploits for IIS6 which is a 4 year old product. Do you mean like these?
-
Re:IIS 6
> IIS 6 hasn't had a public remotely exploitable bug in it. Ever.
"Microsoft Internet Information Services ASP Code Buffer Overflow"
http://secunia.com/advisories/21006/
Software:
- Microsoft Internet Information Services (IIS) 5.x
- Microsoft Internet Information Services (IIS) 6
Impact:
- System access
- Security Bypass
Where:
- From remote
"hasn't had a public remotely exploitable bug"? Ever? Yes, of course - ever -
Re:IIS 6
now now no need to get nasty about IIS6 just beacause its a microsoft product!
IIS6 is very good and new IIS7 is even better, also to note on all the 11 Suse dedicated servers i run i switched from Apache 2 to a lighter, less resource hoging alternative
Btw IIS6 has less unpatched vulnerabilities than apache
so there -
Re:IIS 6
now now no need to get nasty about IIS6 just beacause its a microsoft product!
IIS6 is very good and new IIS7 is even better, also to note on all the 11 Suse dedicated servers i run i switched from Apache 2 to a lighter, less resource hoging alternative
Btw IIS6 has less unpatched vulnerabilities than apache
so there -
start here!
-
Re:And yet
Just to correct you on IIS. According to secunia there have been 3 vulnerabilities for IIS 6 in its life time http://secunia.com/product/1438/ is the same as Apache 2.2 http://secunia.com/product/9633/
-
Re:And yet
Just to correct you on IIS. According to secunia there have been 3 vulnerabilities for IIS 6 in its life time http://secunia.com/product/1438/ is the same as Apache 2.2 http://secunia.com/product/9633/
-
Re:And yet
IIS5, unpatched perhaps. IIS6 however has a decent security record; at least according to Secunia with a grand total of 3 vulnerabilities, one of which was in ASP, which is disabled by default, one in WebDAV, disabled by default and a low criticality problem with cookie handling. All are patched. Apache 2.0 has 33, 3 of which are unpatched and 2.2 has 1 out of 3 unpatched.
-
Re:And yet
IIS5, unpatched perhaps. IIS6 however has a decent security record; at least according to Secunia with a grand total of 3 vulnerabilities, one of which was in ASP, which is disabled by default, one in WebDAV, disabled by default and a low criticality problem with cookie handling. All are patched. Apache 2.0 has 33, 3 of which are unpatched and 2.2 has 1 out of 3 unpatched.
-
Re:And yet
IIS5, unpatched perhaps. IIS6 however has a decent security record; at least according to Secunia with a grand total of 3 vulnerabilities, one of which was in ASP, which is disabled by default, one in WebDAV, disabled by default and a low criticality problem with cookie handling. All are patched. Apache 2.0 has 33, 3 of which are unpatched and 2.2 has 1 out of 3 unpatched.
-
Re:Fixed it for ya!Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.
So looking at the IIS page (and I will admit I'm not going to spend more then 5 minutes on this), there were only moderate and low risk problems. This completely disagrees with their own short description of:
IIS security holes
Apache Security Holes
Brett Moore has reported a vulnerability in Microsoft Internet Information Services, which can be exploited by malicious users to compromise a vulnerable system.
and
Amit Klein has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service).
A compromised system is only moderately at risk? I call bullshit on these stats just from that (and they do the same for Apache).
Oh, and "Results 1 - 10 of about 1,220,000 for iis hacked server. (0.08 seconds) ", OK I didn't find just IIS6 but are all those 1.2 million pages more then 4 years old? -
Re:Fixed it for ya!Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.
So looking at the IIS page (and I will admit I'm not going to spend more then 5 minutes on this), there were only moderate and low risk problems. This completely disagrees with their own short description of:
IIS security holes
Apache Security Holes
Brett Moore has reported a vulnerability in Microsoft Internet Information Services, which can be exploited by malicious users to compromise a vulnerable system.
and
Amit Klein has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service).
A compromised system is only moderately at risk? I call bullshit on these stats just from that (and they do the same for Apache).
Oh, and "Results 1 - 10 of about 1,220,000 for iis hacked server. (0.08 seconds) ", OK I didn't find just IIS6 but are all those 1.2 million pages more then 4 years old? -
Re:Fixed it for ya!Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.
So looking at the IIS page (and I will admit I'm not going to spend more then 5 minutes on this), there were only moderate and low risk problems. This completely disagrees with their own short description of:
IIS security holes
Apache Security Holes
Brett Moore has reported a vulnerability in Microsoft Internet Information Services, which can be exploited by malicious users to compromise a vulnerable system.
and
Amit Klein has reported a vulnerability in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service).
A compromised system is only moderately at risk? I call bullshit on these stats just from that (and they do the same for Apache).
Oh, and "Results 1 - 10 of about 1,220,000 for iis hacked server. (0.08 seconds) ", OK I didn't find just IIS6 but are all those 1.2 million pages more then 4 years old? -
Re:Fixed it for ya!Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.
-
Re:Fixed it for ya!Who says apache isn't the most hacked webserver? I highly doubt IIS is ever hacked, IIS6 which has been out for 4 years only has 3 exploits come out of which 2 were from components that aren't even installed by default and the exploit that is actually in IIS has a rating of "not critical". Apache on the other has 10% of its known security holes unpatched. It also has 10 fold more holes than IIS. I'd take an educated guess and say apache is hacked way more than IIS so your example fails.
-
Re:Fixed it for ya!
An, indeed, they likely are the most hacked web servers in the world. IIS 6, on the other hand, appears to be extremely secure. Whether this is a factor of market share or code quality, we don't know.
Apache: http://secunia.com/search/?search=Apache
IIS 6: http://secunia.com/product/1438/
The fact of the matter is that you do not have enough information to conclude that IE is more poorly coded that any other browser out there. You are coming to this conclusion based on assumptions, not based on facts. -
Re:Fixed it for ya!
An, indeed, they likely are the most hacked web servers in the world. IIS 6, on the other hand, appears to be extremely secure. Whether this is a factor of market share or code quality, we don't know.
Apache: http://secunia.com/search/?search=Apache
IIS 6: http://secunia.com/product/1438/
The fact of the matter is that you do not have enough information to conclude that IE is more poorly coded that any other browser out there. You are coming to this conclusion based on assumptions, not based on facts. -
This idea is stupid (tld goldrush?)
This idea is even stupidder than people who fall for phishing attacks. Another tld gold rush isn't going to solve anything because the problem is people's credulousness,
I'd expect to see a rush of tld registrations to Macedonia (citybank.ba.mk) and Saint Kitts and Nevis (citibank.ba.kn)
Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability. -
Re:PHP is junk
Here's a link to Secunia's Tomcat 5 advisories, one of which is a remote code buffer overflow exploit.
http://secunia.com/product/3571/?task=advisories
So yes, while PHP's advisories are about 10 orders of magnatude more numerous than Tomcat's, it still "bug that would let a remote user execute code or change configuration settings or read files or doing a double-free or any of that kind of thing".
And trust me, it's just as easy to create fragile code in Java that can open your server like goatse as it is in any language, but it does seem to me that PHP puts most of the yoke of security squarely on the coder's shoulders. Unfortunately, I've also seen the code produced from those programmers, and the yoke was way too heavy for them to bear. -
Re:I see what he did there
There have been vulnerabilities in SELinux, see:
http://secunia.com/product/5997/?task=advisories
Plus you are talking about very limited pieces of software, not an entire operating system and *all* the software that it includes. Look at OpenBSD, they've made security a major focus and have done extensive code auditing and still vulnerabilities slip through the cracks occasionally. The problem is that you are talking about huge, complex pieces of software and are trying to institute a zero tolerance for bugs. It's just not a reality. -
Vista isn't a mature OS
OS X has been in production use for six years. Six years of real-world threats and thorough examinations by security experts.
Compare with XP, which is about the same age. (Secunia does not break down the point releases of OS X.) -
Just the factsBy constantly you mean, every 3 months or so. Some of the holes had been open for over 3 months with a rating of highly critical on secunia. Secunia still list 6 unpatched holes for OSX, highest being moderately critical. Quick comparision to vista which has two unpatched holes which have a rating of not critical.
-
Just the factsBy constantly you mean, every 3 months or so. Some of the holes had been open for over 3 months with a rating of highly critical on secunia. Secunia still list 6 unpatched holes for OSX, highest being moderately critical. Quick comparision to vista which has two unpatched holes which have a rating of not critical.
-
Re:Great news for open formats
-
Re:Great news for open formats
-
Detected on Linux SMB Server...Interestingly, clamav's weekly scan of my home Linux server caught Exploit.Win32.MS05-002.Gen in a few mp3 files and a tar.gz file. They weren't important files so I just deleted them. I have several Windows XP Professional machines that access it (the mp3s dir is used as the library root for windows media players).
BitDefender's description of their detection of this virus:This generic detection targets
-
Re:Why would my cursor run as root?
Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features.
Let's see.
Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?
MS took an enormous step in security with their release of IE 7
If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.
This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.
It already haven't been. The guys who found the exploit say that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.
In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.
It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.
Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?
Until a patch is released, turn off active cursors.
HOW? Because, you know, your very own security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!
Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.
Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.
Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without rep
-
Re:Why would my cursor run as root?
Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features.
Let's see.
Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?
MS took an enormous step in security with their release of IE 7
If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.
This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.
It already haven't been. The guys who found the exploit say that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.
In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.
It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.
Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?
Until a patch is released, turn off active cursors.
HOW? Because, you know, your very own security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!
Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.
Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.
Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without rep
-
Re:Why would my cursor run as root?
Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features.
Let's see.
Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?
MS took an enormous step in security with their release of IE 7
If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.
This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.
It already haven't been. The guys who found the exploit say that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.
In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.
It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.
Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?
Until a patch is released, turn off active cursors.
HOW? Because, you know, your very own security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!
Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.
Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.
Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without rep
-
IIS
Someone else mentioned IIS and I thought it was worth mentioning, appropos of parent's remarks, that it's been years since the last really serious IIS vulnerability. In the last two years or so it actually has a better security record than Apache, especially Apache with PHP installed (Apache of course has a really good security record too, but IIS has been stellar).
Look at Secunia's page on IIS 6.0, which is 3 or 4 years old: 3 vulnerabilities total, all patched and none of them seriously critical. -
they can start by...
supporting open open source standards for their public presentations. Having podcasts which are listed to only support Win2000, and information which is not accessible from my Linux box surely wins my heart if not my respect... Common guys, get a effen clue already.
Want to know what I care about? Well here goes...
I need open data format standards that I can write I/O programs for when they decide to abandon some product line (I have a wall full of old data, and am currently struggling to configure hardware to read the essoteric media for data archival). I need them to patch there bugs in a timely fashion (18% of all WinXP-Pro advisories are unpatched http://secunia.com/product/22/?task=statistics -- compare this to Gentoo with 1% unpatched advisories http://secunia.com/product/339/?task=statistics). A couple of important notes on these statistics are 1) there are a lot more than 179 WinXP-pro advisories only cover the OS and not all associated programs, while Gentoo's 1072 advisories cover anything associated with the platform. 2) I cannot find the "mean-time-between-fixes" statistics anymore, but the last time I saw these stats it was something like 6 months for Microsoft and 3 weeks from Gentoo. In addition, the fastest critical patch from Microsoft was a couple of months while Gentoo pumped one out in 1 day!
So, do you *really* want to know why I avoid your products like a plague? -
they can start by...
supporting open open source standards for their public presentations. Having podcasts which are listed to only support Win2000, and information which is not accessible from my Linux box surely wins my heart if not my respect... Common guys, get a effen clue already.
Want to know what I care about? Well here goes...
I need open data format standards that I can write I/O programs for when they decide to abandon some product line (I have a wall full of old data, and am currently struggling to configure hardware to read the essoteric media for data archival). I need them to patch there bugs in a timely fashion (18% of all WinXP-Pro advisories are unpatched http://secunia.com/product/22/?task=statistics -- compare this to Gentoo with 1% unpatched advisories http://secunia.com/product/339/?task=statistics). A couple of important notes on these statistics are 1) there are a lot more than 179 WinXP-pro advisories only cover the OS and not all associated programs, while Gentoo's 1072 advisories cover anything associated with the platform. 2) I cannot find the "mean-time-between-fixes" statistics anymore, but the last time I saw these stats it was something like 6 months for Microsoft and 3 weeks from Gentoo. In addition, the fastest critical patch from Microsoft was a couple of months while Gentoo pumped one out in 1 day!
So, do you *really* want to know why I avoid your products like a plague? -
An Open Message to Steve Ballmer
Mr. Ballmer,
I think you hide from yourself the true nature of your business. Your company makes a lot of money because of many, many adversarial practices like tricky, closed file formats, mixing program files and operating system files, and actually encouraging piracy of your products so that competitors cannot make money.
Your company has never, as far as I am aware, released an excellent product. Windows XP was terribly buggy and troublesome until Service Pack 2. You waste the time of millions of well-educated people. You deliberately manage your business in such a way that programmers are not allowed to finish their jobs. Programmers know how to make very secure software, but your software has had literally hundreds of thousands of expoits. A large part of the money you make comes from people buying new computers because their old computers have become infected. When you are told of an exploit, you often take many months to fix it, showing your true self and your true belief in how to live in the world by taking advantage. (Internet Explorer was 78% unpatched when I wrote this.)
I think you should not think of yourself as primarily a business man. You should think of yourself as primarily an abuser.
Michael Jennings -
Re:Advisory Timeline
Hi, I was the lucky one that found the bug.
Its pretty severe, not easy to exploit. As an old Slashdotter, I really apreciate the Open-Source folks and would like to have found a Windows or oracle bug. But this is my work, and Im sure that OpenBSD is even more secure now.
Theo was a little reluctant to accept the severity of this bug, but its not uncommon when you found a security risk.
BTW, Linux had a very similar vulnerability just yesterday, look here -
I thought this was fixed ?
-
Re:No we're not
Netcraft and Secunia confirms it!
At 58.7%, Apache 2 had 33.
At 31.0%, IIS 6 had 3.
Those were vulnerabilities reported since 2003, or 11 and 1 per year, respectively. That would seem to suggest market share does correlate.
However, using the CERT vulnerability database dating back to 2000:
IIS gets around 22 and Apache almost 30.
Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period, correlating a direct market share to vulnerability relationship (although not in strictly 1:1 proportions). Prior to 6 revs of IIS show it's crap vs. Apache. However, recent revisions to IIS show a *substantial* decrease in that proportion of market share to vulnerabilities, which Apache has not shown. -
Re:No we're not
Netcraft and Secunia confirms it!
At 58.7%, Apache 2 had 33.
At 31.0%, IIS 6 had 3.
Those were vulnerabilities reported since 2003, or 11 and 1 per year, respectively. That would seem to suggest market share does correlate.
However, using the CERT vulnerability database dating back to 2000:
IIS gets around 22 and Apache almost 30.
Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period, correlating a direct market share to vulnerability relationship (although not in strictly 1:1 proportions). Prior to 6 revs of IIS show it's crap vs. Apache. However, recent revisions to IIS show a *substantial* decrease in that proportion of market share to vulnerabilities, which Apache has not shown. -
Apple Security - Too Little Too Late
-
If Apple continues to handle security like it does
If Apple continues down this road of ignoring security reports of independent researchers and either not patching or taking too long to patch Mac OS then, in the long run, Apple is going to end up with the same bad reputation Microsoft has.
Apple has not been serious with regards to the recent issues.
There are 11 unpatched advisories in January, 9% of high criticality, 36% executed from remote, 31% involving privilege escalation, 8% system access.
http://secunia.com/product/96/?task=statistics_200 7
As a Mac OS user I'm concerned. I guess I'm just spoiled by the open source operating systems I am used to, where security officers take security advisories seriously... -
Upatched.... Right.
Most of the un-patched vulnerabilities listed are crap.
Starting with this one.
http://secunia.com/advisories/13925/
If Anyone here actually checked, it's a not a 2.0 bug but a 1.3 one. And it was fixed in Jan 2005!
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=2 90974
Secunia seems suspect in general, So I would have to give as much credit for the graph as the vulnerabilities. -
Not true - pure FUD
Secunia disagrees with the blog contents. I disagree as well - this is pure FUD.
(IIS 5 and IIS 4 are humiliating for mankind. Won't link those, but search yourself if you want to cry and have nightmares.)
IIS 6
Affected By 3 Secunia advisories
Unpatched 0% (0 of 3 Secunia advisories)
Apache 1.3.x
Affected By 19 Secunia advisories
Unpatched 5% (1 of 19 Secunia advisories)
Apache 2.0.x
Affected By 33 Secunia advisories
Unpatched 9% (3 of 33 Secunia advisories)
Apache 2.2.x
Affected By 3 Secunia advisories
Unpatched 33% (1 of 3 Secunia advisories) -
Not true - pure FUD
Secunia disagrees with the blog contents. I disagree as well - this is pure FUD.
(IIS 5 and IIS 4 are humiliating for mankind. Won't link those, but search yourself if you want to cry and have nightmares.)
IIS 6
Affected By 3 Secunia advisories
Unpatched 0% (0 of 3 Secunia advisories)
Apache 1.3.x
Affected By 19 Secunia advisories
Unpatched 5% (1 of 19 Secunia advisories)
Apache 2.0.x
Affected By 33 Secunia advisories
Unpatched 9% (3 of 33 Secunia advisories)
Apache 2.2.x
Affected By 3 Secunia advisories
Unpatched 33% (1 of 3 Secunia advisories) -
Not true - pure FUD
Secunia disagrees with the blog contents. I disagree as well - this is pure FUD.
(IIS 5 and IIS 4 are humiliating for mankind. Won't link those, but search yourself if you want to cry and have nightmares.)
IIS 6
Affected By 3 Secunia advisories
Unpatched 0% (0 of 3 Secunia advisories)
Apache 1.3.x
Affected By 19 Secunia advisories
Unpatched 5% (1 of 19 Secunia advisories)
Apache 2.0.x
Affected By 33 Secunia advisories
Unpatched 9% (3 of 33 Secunia advisories)
Apache 2.2.x
Affected By 3 Secunia advisories
Unpatched 33% (1 of 3 Secunia advisories) -
Not true - pure FUD
Secunia disagrees with the blog contents. I disagree as well - this is pure FUD.
(IIS 5 and IIS 4 are humiliating for mankind. Won't link those, but search yourself if you want to cry and have nightmares.)
IIS 6
Affected By 3 Secunia advisories
Unpatched 0% (0 of 3 Secunia advisories)
Apache 1.3.x
Affected By 19 Secunia advisories
Unpatched 5% (1 of 19 Secunia advisories)
Apache 2.0.x
Affected By 33 Secunia advisories
Unpatched 9% (3 of 33 Secunia advisories)
Apache 2.2.x
Affected By 3 Secunia advisories
Unpatched 33% (1 of 3 Secunia advisories) -
Re:Truth or Dare?