Slashdot Mirror
Microsoft's IIS is Twice as Likely to Host Malware?
eldavojohn writes "According to Google, Microsoft's server software is at least twice as likely to host viruses or malware. The reason why? 'Google reports that IIS is likely used to distribute malware more often than Apache because many IIS installs are on pirated Windows versions which aren't configured to automatically download patches. (Even pirated Windows versions can automatically receive security fixes, however.) Our analysis demonstrates how important it is to keep web servers patched to the latest patch level,' Google notes."
First, there is not nearly enough information provided by Google to come to any real conclusions.
It could be that IIS is more likely to become infected than Apache and then be used to distribute malware, or it could be that malware purveyors are more likely to host their malware on IIS. Or it could be a combination of both.
They also fail to mention what versions of IIS we're talking about, as that makes a huge difference. IIS 5.x had more holes than a cubic mile of swiss cheese. IIS 6, on the other hand, appears to be rock solid and actually has fewer vulnerabilities than Apache.
Second, the fact that Google is a direct competitor to Microsoft is an obvious reason to find their conclusions dubious, at best. They have plenty of reasons to bash Microsoft at every possible opportunity.
Apache won't auto-update but the distribution (assuming linux here) will provide automatic updates if configured for it.
I work for a company that identifies hacked sites that house phishing attacks. We have analyzed tens of thousands of sites. It was a surprise to me, but over 90% of hacked sites out there are running Linux/Apache -- not Windows/IIS as most people would suspect. The problem is that there are too many people out there install the free version of open source software, but don't have the ability to apply the patches. Since known vulnerabilities are well documented and kits exists to scan these weaknesses, Linux/Apache gets hacked.
I know everyone's going to start hating on you... but it's really true. The dirty little secret MS doesn't like to talk about in their TCO studies is that they usually rely on the fact Microsoft consultants make on average the least out of almost every consulting field. One study showed 30 dollars an hour! If you are paying your "experts" next to nothing how expert can they really be?
Your quote at the end really rings true. I have yet to meet an IIS admin whom understands the HTTP standards at all, let alone something as complex as debugging chunked encoding issues. If you can't telnet to port 80 and get usable output, you have no business being a web server administrator. However, the windows culture encourages quite the opposite. If you can't solve a problem with a wizard, does the problem actually exist?
If an officer ever threatens to taze you, say you have a pacemaker.
With the release of IIS 6, security was significantly improved & according to various stats out there, IIS 6 is actually stronger than Apache in a lot of areas. We are running IIS & have had several intrusion attempts but our systems have been pretty solid; Humble admission, we did get hacked once but it was our negligence more than anything else.
Having admin'ed both Apache and IIS servers, IIS has treated us well, with a properly configured firewall and auto-patching servers, IIS is rock solid
The fact they're IIS and pirated seems to be moot, the point is many people just don't feel like "proving" to M$ that their version isn't pirated and give up trying to do security updates. I have one computer, out of about 9 or 10 I own at home, that has XP loaded on it. When I put it online and try to patch it, it does it's "Authenticity Check" and fails saying it was not a valid install. I know I bought a copy of XP specifically for this computer since it was for a businesses' use (and hence, tax deductible as an expense). Since it's never going to be on-line I said, "Screw it" and didn't bother with trying to update it. I'm sure many home owners are in the same boat...except they keep it online.
Maybe they'll come around like they did on Win2K. They said they stopped supporting updates and I noticed no nags on my laptop for a really long time...lately I've noticed M$ is pushing security updates to it again. This is a computer I almost pulled from the "on line" array when it got infected twice by MySpace and YouTube....but I got it cleaned up through a few programs and a couple hours...