Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's IIS is Twice as Likely to Host Malware?

Posted by Zonk on from the consider-the-source dept.

eldavojohn writes "According to Google, Microsoft's server software is at least twice as likely to host viruses or malware. The reason why? 'Google reports that IIS is likely used to distribute malware more often than Apache because many IIS installs are on pirated Windows versions which aren't configured to automatically download patches. (Even pirated Windows versions can automatically receive security fixes, however.) Our analysis demonstrates how important it is to keep web servers patched to the latest patch level,' Google notes."

5 of 163 comments (clear)

  1. Help me out by mingot · · Score: 4, Insightful

    Patches? Patches for what? Has IIS had any remotely exploitable holes since version 5? Or are these machines that get owned via some other method and then just happen to have IIS so it is used to serve the malware? So really, this has more to do with unpatched windows than IIS? Or am I missing something?

  2. Big Surprise by ThinkFr33ly · · Score: 4, Interesting

    First, there is not nearly enough information provided by Google to come to any real conclusions.

    It could be that IIS is more likely to become infected than Apache and then be used to distribute malware, or it could be that malware purveyors are more likely to host their malware on IIS. Or it could be a combination of both.

    They also fail to mention what versions of IIS we're talking about, as that makes a huge difference. IIS 5.x had more holes than a cubic mile of swiss cheese. IIS 6, on the other hand, appears to be rock solid and actually has fewer vulnerabilities than Apache.

    Second, the fact that Google is a direct competitor to Microsoft is an obvious reason to find their conclusions dubious, at best. They have plenty of reasons to bash Microsoft at every possible opportunity.

  3. Newsflash! by DrEldarion · · Score: 4, Insightful

    Bad admins run bad servers!

    Wouldn't have expected that one.

  4. Re:49/49 by sqlrob · · Score: 4, Insightful

    The instances were evenly split, but since Apache is more common that IIS, you should see more Apache.

  5. Re:No kidding /sarc by porkThreeWays · · Score: 4, Interesting

    I know everyone's going to start hating on you... but it's really true. The dirty little secret MS doesn't like to talk about in their TCO studies is that they usually rely on the fact Microsoft consultants make on average the least out of almost every consulting field. One study showed 30 dollars an hour! If you are paying your "experts" next to nothing how expert can they really be?

    Your quote at the end really rings true. I have yet to meet an IIS admin whom understands the HTTP standards at all, let alone something as complex as debugging chunked encoding issues. If you can't telnet to port 80 and get usable output, you have no business being a web server administrator. However, the windows culture encourages quite the opposite. If you can't solve a problem with a wizard, does the problem actually exist?

    --
    If an officer ever threatens to taze you, say you have a pacemaker.