Slashdot Mirror
Millions of Websites Affected By Unpatched Flaw in Microsoft IIS 6 Web Server (pcworld.com)
A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used. From a report on PCWorld: The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003. Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.
Why would someone run a Microsoft web server vs. Nginx on OpenBSD?
Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?
Extended support finished 2 years ago yet apparently there are still many admins (I used that term advisedly) running public facing websites who think its perfectly acceptable to run this software. This is beyond moronic but short of giving them all a royal kick up the backside I can't see a solution unless the companies involved fancy paying MS $$$ for a fix just for them.
independent web server surveys suggest that IIS 6.0 still powers millions of public websites
Whaa?? Who runs a public web site on a 14-year old version of the server???? That site claims 8 million of them!
But that's what you get for choosing a MS product.
As comparison: apache moved on to apache2 but you can still run apache(1) if you choose to, no matter the OS.
Its worse enough having to upgrade your servers to a new OS every few years. Its even worse to upgrade all web and database stuff to newer and usually not backward compatible stuff.
Only idiots think 5 years is a long time. Plenty stuff out there survives a few decades. Its not the new and shiny stuff that rules the cyberspace world but more often than not the ancient rusty but oiled cogwheels.
I suppose you've never used ASP.NET or C# or .NET at any point.
Well, it turns out that they're actually quite good. Their biggest drawback, until recently, was that they were only supported on Windows.
But in terms of functionality, they're even still lightyears ahead of anything the open source community has managed to create.
ASP.NET is a sane, sensible way of building large-scale web applications and web APIs. It provides useful abstractions, but without going totally overboard like so many Java web frameworks do. You won't be drowned in design pattern hell. But it also provides more structure than most PHP frameworks provide. Yet it isn't as inflexible and opinionated as Ruby on Rails is. It's as close as anyone has gotten to a practical balance.
C# is an excellent programming language. It took the best parts of languages like Java and C++, but discarded a lot of their failures. It's a much, much, much better language than PHP or Ruby or JavaScript. It has a great blend of strictness where it's useful, but while also being extraordinarily flexible when that's needed. .NET as a runtime is fast, light and performs very well. It puts the JVM to shame, and it blows the various Ruby and JavaScript interpreters/VMs to pieces. It also includes a complete and sane standard library. The only other library I've ever seen that comes close is Python's. It's hard to go back to Java's standard library after using .NET's, just because Java's ends up looking so inconsistent and dumb so much of the time.
Microsoft does a lot wrong, but ASP.NET, C# and .NET are some things that they've done so much better than anyone else, and nobody has caught up yet. The open source communities are still dicking around with PHP, Ruby on Rails, and worst of all, Node.js, none of which are anywhere near as good as what Microsoft has created.
Now we're seeing Microsoft port these technologies to Linux and macOS, which gets rid of their main drawback: the need for Windows.
Aside from using legacy applications, it's getting to the point where technologies like Ruby on Rails, PHP and Node.js should be seen as obsolete, as the cross-platform technologies Microsoft is now providing are so much better.
Well yeah they are rock solid. I left IIS a very long time ago as I realized what an insecure piece of crap it was.
This answer is as dumb, as it can get by biological means; not sure, if a specialized AI could beat that...
It's not about Windows vs. Linux, it's about management vs. IT. A 14 year old Linux server will not fare any better, in fact, it's a lot easier to build a shitty server with Linux than it is with Windows. I've done web servers with VMS, OS/2, Unix, Windows and Linux and you can build decent servers with any system, as long as you know, what you're doing. The key has always been to convince the CFO, that it's worth it to keep the system up-to-date...
Yeah, but you know on Linux people don't have to worry about the cost of a web server/OS
Depending on your scope of responsibility and the number of customer systems, licensing costs are your least concerns. Right now, I'm in charge of ~150 Linux servers and ~40 Windows servers. The customers on Windows had no problems with 30 minutes of downtime on a Wednesday night (they know Windows update!), but the Linux customers were bitching around like puberting teenagers...
- and when a patched or new version comes on the horizon. nobody thinks twice before upgrading (IIS depends biologically upon its OS, and often an IIS upgrade requires an OS upgrade).
You never had to deal with C-level, right?
This answer is as dumb, not sure, if a specialized AI could beat that...
If an AI can beat that, it's definitely not dumb!
It has to be really smart to appear dumber... :)
Use. Linux.
And what would that bring? Apache has the same support life as IIS.
IIS 6 and Windows 2003 came out in 2003 EOLed in 2015
Apache 2.0 and Linux 2.4.19 came out in 2003 EOLed in 2013 and 2012 respectively.
Silly take home message: You get a year longer support with MS.
Real take home message: Not using MS doesn't make you any less stupid of a system admin if you don't update your public facing software and run current in service life systems.
I've yet to see a linux distribution supported for even 7 years, let alone the 10 minimum guaranteed by MS. Sure, you can in-place upgrade linux to a new version of the distro, but Windows allows in-place upgrades now, too. You have to pick your poison here. If you are updating, you're gonna have some of the same stability and migration issues on linux that you'll have going to a new version of Windows. If you're not updating, you're eventually running into the same security issues you get running old Windows. As far as *real* long-term stability goes, a linux server might run for a few years without a reboot, but IIS clusters well enough, and Windows can guarantee you a decade of security updates for a platform. I have to get it the edge here.
Additionally, if you're hosting yourself, and you run VMs, once you've licensed data center edition on the basic hardware, you can spin up as many Windows VMs on that hardware as you need at no extra cost. Really. The basic data center license doesn't cost as much as you seem to think it does. My last purchase was about $200. That's a rounding error even for a startup. I'm in the Ed market, so I get a pretty good discount, but this isn't that far away from the typical. Big customers get extreme volume discounts, small startups can take advantage of programs like BizSpark, and there's a reasonable plan for most of the rest in the middle.
Don't get me wrong: I'm not "pro-Windows" or "pro-Linux" in any way. They both are valid options, but you have to consider the consequences. Keeping a Linux system up-to-date is a bit more work than a Windows system, but the Linux ecosystem is a bit more "snappier" about security issues...
We should agree on a simple fact: running a webserver on a 14yr old system just isn't a good idea!
Problem is the guys in suits. Not the geeky admin. Unless there is a ROI it won't ever be upgraded. They work fine. Worse if they outsource to India to cut costs. These contract companies care more to appear cheap and brown nose their MBA clients than fix shit.
I left my last employer. One of the biggest but not sole reason was their shit never worked and I was always blamed. We have HIPPA requirements and freaking run them off IE 6 and store files on server 2003! Worse I replaced the tape drives 3 times because they are 11 years old. I was to blame for reliability, performance, and security. Document shit you get a write up. The MBAs need to make the client happy so shut up etc.
IT wasn't always considered a cost sink like it is today. The great recession really swung the pendulum too far in the other direction from 1999 in the good old days. It's time it swung back and failing insecure infrastructure mixed with IT geeks quiting might swing it back
http://saveie6.com/
It is about how you deploy the application. I was going to describe in more detail what I am doing, but it would be too long. In short, you deploy everything together on top of the OS. That is, in my case, I can change the Java runtime and Tomcat server as easily as upgrading the application. (In a nutshell: nothing is installed. Just folders with scripts that point to everything by pathname. Unpack new java runtime folders and new tomcat servers, alter script pathnames, etc. If the OS happens to be Windows, additional step of a script to uninstall service and reinstall service.)
Now the only thing that is an issue to upgrade is the OS. Minor upgrades can be done along the way. But major upgrades can be done every few years without much effort. Just set up new VM in parallel, set it up with a simple copy of the entire folder structure of what I described above, and switch over. (You're doing this on a staging server first, aren't you?)
Automate as much as possible. If I ever have to cluster this with two or more application servers, then I will look at using some container technology to automate the deployment of the OS. But that is not a reality yet.
What I have described is a single application server that uses some other database server (separate topic) which is not all that different from an app on IIS. Except that you can't just swap out IIS by unpacking a new folder and changing a pathname. And if the new server doesn't work out, just change the pathname to point back to the old server and restart the server (not the OS). Or if the new Java version didn't work out (but I can't imagine why) just change pathname to point to the old one, etc.
Becuase the cost to change out things is so low it is never a topic that comes up with management. I always have everything up to date. This is an app that can have short scheduled downtimes. I use a lot of automatation but not containers as of today. Downtimes are 1 to 2 minutes unless there is a database upgrade such that downtime is 15 to 20 minutes.
And you test everything on stating first. Two days earlier you get backups of all the live production databases (without interrupting live operation) and restore them on the staging system. Then test out the entire upgrade including database upgrades. That way you have high confidence your db upgrades work. (And if for some reason it ever were to fail, you restore the backups you made before you started upgrading. (you made backups right?) And leave the application un-upgraded. But this hypothetical plan has never been needed.)
It's really about planning. Before the application ever went live you should have been thinking about how do you upgrade the entire mess, end to end. Frequently. And quickly with short downtime. (Different practices are needed if you can not ever have short downtimes. But I don't live in that world yet.)
I'll see your senator, and I'll raise you two judges.
Linux is more modular, the components are available with source code and the updated versions are both free and more likely to still be compatible with your existing hardware...
If you absolutely must keep an old version of linux running you have options - you can update the externally facing services yourself (eg nothing to stop you installing the latest openssh on an ancient linux kernel), you can patch and rebuild older source yourself, you can remove things you don't need to decrease the attack surface.
Upgrades being free, plus most software coming with source code decreases the number of instances where a system is stuck running an old version of linux, in fact most instances of old linux out there are in the form of embedded devices which generally have a stripped down attack surface anyway.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Serious question. What did Microsoft screw up so badly that nobody ever upgraded to a "better" (?) or more secure server?
"I've yet to see a linux distribution supported for even 7 years, let alone the 10 minimum guaranteed by MS."
You haven't heard of Red Hat, or CentOS?
RHEL5 reached end of standard support yesterday, after just over 10 years. Extended support is available for anothwr 2.5 years:
https://access.redhat.com/supp...
CentOS 5/6/7 have the same lifecycle:
https://linuxlifecycle.com/
https://wiki.centos.org/About/...
"Windows can guarantee you a decade of security updates for a platform. I have to get it the edge here."
Only because you seem uninformed or too lazy to do any research.
"Additionally, if you're hosting yourself, and you run VMs, once you've licensed data center edition on the basic hardware, you can spin up as many Windows VMs on that hardware as you need at no extra cost."
Red Hat has similar options, and subscriptions on their RHEV+unlimited supported VMs gives you the same capabilities as VMWare vSphere Enterprise for less than just the vSphere licensing/SnS (so you basically get unlimitrd supported VMs for free).
I didn't compare to HyperV because MS was anal enough about licensing a Windows VM for the vCenter server (must pay per CPU-month for every CPU that could potentially run the VM) that we migrated as soon as possible to the vCenter Server Appliance because we spent almost as much licensing one Windows VM as on vSphere for a 6-machine vSphere cluster.
Of course, if you don't need support, you can run ovirt (community version of RHEV) on CentOS (or Debian) with unlimited CentOS (or Ubuntu or Debian) VMs, for no software cost. Or there are other options for containet-based clusters.