Microsoft's IIS is Twice as Likely to Host Malware?

eldavojohn writes "According to Google, Microsoft's server software is at least twice as likely to host viruses or malware. The reason why? 'Google reports that IIS is likely used to distribute malware more often than Apache because many IIS installs are on pirated Windows versions which aren't configured to automatically download patches. (Even pirated Windows versions can automatically receive security fixes, however.) Our analysis demonstrates how important it is to keep web servers patched to the latest patch level,' Google notes."

Help me out

[mingot]

Patches? Patches for what? Has IIS had any remotely exploitable holes since version 5? Or are these machines that get owned via some other method and then just happen to have IIS so it is used to serve the malware? So really, this has more to do with unpatched windows than IIS? Or am I missing something?

Re:Help me out

[spellraiser]

Yes, it's probably due to unpatched Windows. They use the term web server, which is ambiguous in that it can mean both the server software and the machine it runs on. In this case they most likely mean the machine. After all, isn't it common knowledge that it's important to keep all your software updated and patched, not least the OS?

Re:Help me out

[goldspider]

"Microsoft releases patches for both, and neither are apparently being applied by the servers in question."

So in other words, it's the inattentive sysadmins that are at fault. Why do you blame Windows and IIS then?

Re:Help me out

[Henry+V+.009]

That was a hole in version 5. Please try again. The question was: "Have there been any since version 5?"

Re:Help me out

You're probably wrong. From the same link:
"From then until now or between then and now"

Which leaves ambiguity as to whether the endpoints are inclusive. So you will have to take it based on context. In this case, saying something like "There hasn't been a hole since version 5" implies that version 5 had a hole. So when you ask the related question, "Has there been an hole since version 5", it implies that the asker of the question knows there was a hole in version 5, and means to inquire as to whether there was one after.

After all, if your last traffic ticket was in 2001, and I ask you "have you gotten a traffic ticket since 2001?", do you say "Yes, I got one in 2001"?

I think everyone is pretty damned sure you're wrong in this case.

No kidding /sarc

[N3WBI3]

The problem is anyone out there who can install windows services considers themselves a knowledgeable sys-admin. Sure there are technical reasons why LAMP tends to be more secure than IIS but more often than not it comes down to poor configuration (running unneeded services, poor network security, poor hardening standards), lazy maintenance (not checking logs, updating software), and a lack of understanding threats (not keeping up with cert).

Linus once said of Gnome that when you design assuming you're users are idiots in the end thats all the users your going to have. Find an experienced competent admin who has cut his teeth in the real world and not in a MCSE bootcamp and you should be ok.

Genuine question

[feranick]

Please don't flame me for this, it's a genuine question: Does Apache download and apply patches itself automatically? Or are sys administrators more careful and quicker to apply patches as soon as they are released?

Newsflash!

[DrEldarion]

Bad admins run bad servers!

Wouldn't have expected that one.

Slashdot sucks?

[dedazo]

Are the people who run Slashdot really this dumb? Or are they simply FUDing for ad impressions? They don't really care what the submission says, who is sending it or who initiated it, as long as it's juicy? What time is it? It's 2:00 PM?

Notice I placed a question mark after each one of my phrases so I cannot be held responsible for them. You know, just asking questions, like Fox News and their "Hillary Clinton turns tricks?" headlines.

Speaking of that, there's a hilarious Jon Stewart skit on YouTube about placing question marks after inflammatory statements that surprisingly enough targets Faux News, mostly. Might want to take a look at that? Thanks?

Probably XP Pro

[jafiwam]

This is probably XP Pro machines that get infected by means other than the webserver.

Once someone has control, they can pretty easily start the service and stick malicious files in the default root in IIS.

You don't need a remote hole to get numbers like this.

Re:49/49

[sqlrob]

The instances were evenly split, but since Apache is more common that IIS, you should see more Apache.

Re:Free as in beer?

[ericrost]

The GPL doesn't restrict what you can DO with any piece of GPL'd code, it restricts you from restricting others from using your work in the same way you used the work of the thousands of developers who made the GNU system and the Linux kernel.

Share and share alike. Otherwise one bad apple spoils the freedom for everyone.

This is slashdot isn't it?

[angelasmark]

What with the lack of MS hate? Is google on the shitlist now too or something? I haven't seen so many comments bashing an article that pokes at MS ever...

Re:Big Surprise

[daeg]

When you compare IIS 6 to the comparable Apache version (2.2), they both have the same number of advisories. Note that Apache 2.2 has an unpatched very low risk vulnerability when run on Windows. Interestingly, Apache supports more platforms yet has less bugs considering one of the three bugs only targets one operating system.

I don't question their results, although I'd suspect there are also a high number of Cpanel hosts slammed full of malware, too.

Re:Free as in beer?

[Achromatic1978]

Whilst I could have phrased it more eloquently, you do realize there's an inherent irony in you championing how ultimate the freedom of the GPL is and every post after that explaining away and justifying all the ways in which it restricts freedom? Note though that I'm not claiming that there are good moral grounds for such restrictions, just that they are far from compatible with the statement - especially when one only needs to glance a few foot over to the BSD license to see what unrestricted freedom really is.

So you blame the user again.

[twitter]

It's amazing how M$ security problems are always the user's fault when you ask a M$ person. Case in point, you blame the problem on ignorant, lazy and stupid users:

... it comes down to poor configuration (running unneeded services, poor network security, poor hardening standards), lazy maintenance (not checking logs, updating software), and a lack of understanding threats ... Find an experienced competent admin who has cut his teeth in the real world and not in a MCSE bootcamp and you should be ok.

I'm going to leave alone how you just called most M$ customers idiots. Why would consider someone lazy because they are forced to do all the work it takes to keep up a Windoze box?

What you don't mention is that most distributions have reasonable defaults for Apache because they can. In the free software world people are free to share ALL of their improvements and that includes configurations and updates. Of course, there's no such thing as a "pirated" GNU/Linux, which eliminates the problem Google identified.

As with desktop users, the only consistent trait and problem people with problems have is choosing the wrong OS. Software design, configuration, documentation and ease of upkeep are all inferior in the Windoze world - the user is screwed at every point. It's not their fault.