Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's IIS is Twice as Likely to Host Malware?

Posted by Zonk on from the consider-the-source dept.

eldavojohn writes "According to Google, Microsoft's server software is at least twice as likely to host viruses or malware. The reason why? 'Google reports that IIS is likely used to distribute malware more often than Apache because many IIS installs are on pirated Windows versions which aren't configured to automatically download patches. (Even pirated Windows versions can automatically receive security fixes, however.) Our analysis demonstrates how important it is to keep web servers patched to the latest patch level,' Google notes."

28 of 163 comments (clear)

  1. Help me out by mingot · · Score: 4, Insightful

    Patches? Patches for what? Has IIS had any remotely exploitable holes since version 5? Or are these machines that get owned via some other method and then just happen to have IIS so it is used to serve the malware? So really, this has more to do with unpatched windows than IIS? Or am I missing something?

    1. Re:Help me out by spellraiser · · Score: 2, Insightful

      Yes, it's probably due to unpatched Windows. They use the term web server, which is ambiguous in that it can mean both the server software and the machine it runs on. In this case they most likely mean the machine. After all, isn't it common knowledge that it's important to keep all your software updated and patched, not least the OS?

      --
      I hear there's rumors on the Slashdots
    2. Re:Help me out by eli+pabst · · Score: 2, Informative

      Has IIS had any remotely exploitable holes since version 5?

      At least one in version 6:

      http://secunia.com/advisories/21006/

      Which is actually fairly impressive, but then again you'd really only need one remote vulnerability if you are trying to compromise completely unpatched systems.

    3. Re:Help me out by AKAImBatman · · Score: 2, Funny

      See! The same thing is going to happen to Macs and Linux as soon as they become popular! Because popularity means that these OSes will get pirated more. Which will lead to more infections of unpatched systems. Even though Linux is "free" (as in beer) and Mac OS X only works on legitimate Mac Hardware. Because free... and official hardware...

      Wait...

      What was I saying again?

      --
      Javascript + Nintendo DSi = DSiCade
    4. Re:Help me out by goldspider · · Score: 2, Insightful

      "Microsoft releases patches for both, and neither are apparently being applied by the servers in question."

      So in other words, it's the inattentive sysadmins that are at fault. Why do you blame Windows and IIS then?

      --
      "Ask not what your country can do for you." --John F. Kennedy
    5. Re:Help me out by Henry+V+.009 · · Score: 2, Insightful

      That was a hole in version 5. Please try again. The question was: "Have there been any since version 5?"

    6. Re:Help me out by mhall119 · · Score: 2, Informative

      Actually the research shows that despite Apache being the more popular web server, IIS had more instances of hosting malware.

      --
      http://www.mhall119.com
    7. Re:Help me out by kernelpanicked · · Score: 2, Informative

      No actually if you had read the link the other poster gave you, it affects 5 and 6. Now that I'm on Secunia I've got another link for ya. Total security advisories for IIS6 (3) http://secunia.com/product/1438. Impressive, but not nearly as perfect as you would like to think.

      --
      Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
    8. Re:Help me out by mrsteveman1 · · Score: 2, Funny

      I agree, I'm currently on my way to getting a CCSP at the moment, and there are people in the college classes i take who barely understand how a windows domain works, let alone network systems and authentication.

      Recently one of them was trying to connect to the VPN at his job, which is part of a windows domain, and it wouldn't work because he hadn't authenticated against the schools wireless login yet and obviously wouldn't be able to connect to anything. The wireless auth system basically just grabs users from the mail server, and inserts a access list rule in the router behind it allowing traffic from your MAC address to get out.

      So he entered in his user and such, and was able to connect to the VPN at his job. He then went on to say that he forgot to login to the wireless page and that they had to login to the domain at work to use the servers. I explained to him that the wireless login didn't have anything to do with the windows domain where he works, but he pulled out one of those "i don't actually know anything" lines and said "All I know is we have to login to the wireless system at work to use the network, you can use the internet but not the servers", which is completely different and reverse situation. The result being that now he thinks the wireless login authenticated his laptop against the windows domain at his job, never mind the fact that they are completely distinct and unrelated networks, not even using the same authentication system or user database.

  2. No kidding /sarc by N3WBI3 · · Score: 3, Insightful

    The problem is anyone out there who can install windows services considers themselves a knowledgeable sys-admin. Sure there are technical reasons why LAMP tends to be more secure than IIS but more often than not it comes down to poor configuration (running unneeded services, poor network security, poor hardening standards), lazy maintenance (not checking logs, updating software), and a lack of understanding threats (not keeping up with cert).

    Linus once said of Gnome that when you design assuming you're users are idiots in the end thats all the users your going to have. Find an experienced competent admin who has cut his teeth in the real world and not in a MCSE bootcamp and you should be ok.

    --
    1. Re:No kidding /sarc by porkThreeWays · · Score: 4, Interesting

      I know everyone's going to start hating on you... but it's really true. The dirty little secret MS doesn't like to talk about in their TCO studies is that they usually rely on the fact Microsoft consultants make on average the least out of almost every consulting field. One study showed 30 dollars an hour! If you are paying your "experts" next to nothing how expert can they really be?

      Your quote at the end really rings true. I have yet to meet an IIS admin whom understands the HTTP standards at all, let alone something as complex as debugging chunked encoding issues. If you can't telnet to port 80 and get usable output, you have no business being a web server administrator. However, the windows culture encourages quite the opposite. If you can't solve a problem with a wizard, does the problem actually exist?

      --
      If an officer ever threatens to taze you, say you have a pacemaker.
  3. Big Surprise by ThinkFr33ly · · Score: 4, Interesting

    First, there is not nearly enough information provided by Google to come to any real conclusions.

    It could be that IIS is more likely to become infected than Apache and then be used to distribute malware, or it could be that malware purveyors are more likely to host their malware on IIS. Or it could be a combination of both.

    They also fail to mention what versions of IIS we're talking about, as that makes a huge difference. IIS 5.x had more holes than a cubic mile of swiss cheese. IIS 6, on the other hand, appears to be rock solid and actually has fewer vulnerabilities than Apache.

    Second, the fact that Google is a direct competitor to Microsoft is an obvious reason to find their conclusions dubious, at best. They have plenty of reasons to bash Microsoft at every possible opportunity.

    1. Re:Big Surprise by daeg · · Score: 2, Insightful

      When you compare IIS 6 to the comparable Apache version (2.2), they both have the same number of advisories. Note that Apache 2.2 has an unpatched very low risk vulnerability when run on Windows. Interestingly, Apache supports more platforms yet has less bugs considering one of the three bugs only targets one operating system.

      I don't question their results, although I'd suspect there are also a high number of Cpanel hosts slammed full of malware, too.

  4. Genuine question by feranick · · Score: 2, Insightful

    Please don't flame me for this, it's a genuine question: Does Apache download and apply patches itself automatically? Or are sys administrators more careful and quicker to apply patches as soon as they are released?

    1. Re:Genuine question by Nibbler999 · · Score: 3, Interesting

      Apache won't auto-update but the distribution (assuming linux here) will provide automatic updates if configured for it.

  5. Newsflash! by DrEldarion · · Score: 4, Insightful

    Bad admins run bad servers!

    Wouldn't have expected that one.

  6. Slashdot sucks? by dedazo · · Score: 2, Insightful
    Are the people who run Slashdot really this dumb? Or are they simply FUDing for ad impressions? They don't really care what the submission says, who is sending it or who initiated it, as long as it's juicy? What time is it? It's 2:00 PM?

    Notice I placed a question mark after each one of my phrases so I cannot be held responsible for them. You know, just asking questions, like Fox News and their "Hillary Clinton turns tricks?" headlines.

    Speaking of that, there's a hilarious Jon Stewart skit on YouTube about placing question marks after inflammatory statements that surprisingly enough targets Faux News, mostly. Might want to take a look at that? Thanks?

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  7. Original source link by Anonymous Coward · · Score: 3, Informative

    Posted anonymously for your enjoyment:

    http://googleonlinesecurity.blogspot.com/2007/06/w eb-server-software-and-malware.html

  8. Re:Free as in beer? by Anonymous Coward · · Score: 2, Informative

    Because many of us think BSD is truely free, while the GPL imposes restrictions on what you can do with it, so isn't 'free' in our book. Different folks have different definitions of freedom. I'm sure yours is different than mine.

  9. Probably XP Pro by jafiwam · · Score: 2, Insightful

    This is probably XP Pro machines that get infected by means other than the webserver.

    Once someone has control, they can pretty easily start the service and stick malicious files in the default root in IIS.

    You don't need a remote hole to get numbers like this.

  10. 49/49 by jshriverWVU · · Score: 3, Informative
    If you look at the actual article, it shows an even split. 49% IIS 49% Apache 2% other:

    Pie Graph

    1. Re:49/49 by sqlrob · · Score: 4, Insightful

      The instances were evenly split, but since Apache is more common that IIS, you should see more Apache.

  11. Who would of thought? by notlightnorchroma · · Score: 2, Interesting

    I work for a company that identifies hacked sites that house phishing attacks. We have analyzed tens of thousands of sites. It was a surprise to me, but over 90% of hacked sites out there are running Linux/Apache -- not Windows/IIS as most people would suspect. The problem is that there are too many people out there install the free version of open source software, but don't have the ability to apply the patches. Since known vulnerabilities are well documented and kits exists to scan these weaknesses, Linux/Apache gets hacked.

  12. Re:Free as in beer? by ericrost · · Score: 2, Insightful

    The GPL doesn't restrict what you can DO with any piece of GPL'd code, it restricts you from restricting others from using your work in the same way you used the work of the thousands of developers who made the GNU system and the Linux kernel.

    Share and share alike. Otherwise one bad apple spoils the freedom for everyone.

    --
    My Babylon
  13. Version of IIS? by leather_helmet · · Score: 2, Interesting
    Agreed with the other posts that IIS 5.x was rather shitty and was a lot more vulnerable than Apache, etc.

    With the release of IIS 6, security was significantly improved & according to various stats out there, IIS 6 is actually stronger than Apache in a lot of areas. We are running IIS & have had several intrusion attempts but our systems have been pretty solid; Humble admission, we did get hacked once but it was our negligence more than anything else.

    Having admin'ed both Apache and IIS servers, IIS has treated us well, with a properly configured firewall and auto-patching servers, IIS is rock solid

  14. This is slashdot isn't it? by angelasmark · · Score: 2, Insightful

    What with the lack of MS hate? Is google on the shitlist now too or something? I haven't seen so many comments bashing an article that pokes at MS ever...

  15. So you blame the user again. by twitter · · Score: 2, Insightful

    It's amazing how M$ security problems are always the user's fault when you ask a M$ person. Case in point, you blame the problem on ignorant, lazy and stupid users:

    ... it comes down to poor configuration (running unneeded services, poor network security, poor hardening standards), lazy maintenance (not checking logs, updating software), and a lack of understanding threats ... Find an experienced competent admin who has cut his teeth in the real world and not in a MCSE bootcamp and you should be ok.

    I'm going to leave alone how you just called most M$ customers idiots. Why would consider someone lazy because they are forced to do all the work it takes to keep up a Windoze box?

    What you don't mention is that most distributions have reasonable defaults for Apache because they can. In the free software world people are free to share ALL of their improvements and that includes configurations and updates. Of course, there's no such thing as a "pirated" GNU/Linux, which eliminates the problem Google identified.

    As with desktop users, the only consistent trait and problem people with problems have is choosing the wrong OS. Software design, configuration, documentation and ease of upkeep are all inferior in the Windoze world - the user is screwed at every point. It's not their fault.

    --

    Friends don't help friends install M$ junk.

  16. Shouldn't be a surprise but for other reasons by JohnnyComeLately · · Score: 2, Interesting

    The fact they're IIS and pirated seems to be moot, the point is many people just don't feel like "proving" to M$ that their version isn't pirated and give up trying to do security updates. I have one computer, out of about 9 or 10 I own at home, that has XP loaded on it. When I put it online and try to patch it, it does it's "Authenticity Check" and fails saying it was not a valid install. I know I bought a copy of XP specifically for this computer since it was for a businesses' use (and hence, tax deductible as an expense). Since it's never going to be on-line I said, "Screw it" and didn't bother with trying to update it. I'm sure many home owners are in the same boat...except they keep it online.

    Maybe they'll come around like they did on Win2K. They said they stopped supporting updates and I noticed no nags on my laptop for a really long time...lately I've noticed M$ is pushing security updates to it again. This is a computer I almost pulled from the "on line" array when it got infected twice by MySpace and YouTube....but I got it cleaned up through a few programs and a couple hours...