Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft's IIS is Twice as Likely to Host Malware?

Zonk posted more than 7 years ago | from the consider-the-source dept.

Security 163

eldavojohn writes "According to Google, Microsoft's server software is at least twice as likely to host viruses or malware. The reason why? 'Google reports that IIS is likely used to distribute malware more often than Apache because many IIS installs are on pirated Windows versions which aren't configured to automatically download patches. (Even pirated Windows versions can automatically receive security fixes, however.) Our analysis demonstrates how important it is to keep web servers patched to the latest patch level,' Google notes."

cancel ×

163 comments

Sorry! There are no comments related to the filter you selected.

Help me out (4, Insightful)

mingot (665080) | more than 7 years ago | (#19441453)

Patches? Patches for what? Has IIS had any remotely exploitable holes since version 5? Or are these machines that get owned via some other method and then just happen to have IIS so it is used to serve the malware? So really, this has more to do with unpatched windows than IIS? Or am I missing something?

Re:Help me out (1, Redundant)

Ngarrang (1023425) | more than 7 years ago | (#19441537)

It is a combination of both Windows and IIS for being at fault. Microsoft releases patches for both, and neither are apparently being applied by the servers in question.

Re:Help me out (2, Insightful)

goldspider (445116) | more than 7 years ago | (#19441845)

"Microsoft releases patches for both, and neither are apparently being applied by the servers in question."

So in other words, it's the inattentive sysadmins that are at fault. Why do you blame Windows and IIS then?

Re:Help me out (1)

Ngarrang (1023425) | more than 7 years ago | (#19442691)

Modded as a troll? Why? I was answering the posters question. Unless, of course, I was moderated down by a sysadmin of an IIS server. Geesh. Some people have no clue how to use mod points.

Re:Help me out (2, Insightful)

spellraiser (764337) | more than 7 years ago | (#19441587)

Yes, it's probably due to unpatched Windows. They use the term web server, which is ambiguous in that it can mean both the server software and the machine it runs on. In this case they most likely mean the machine. After all, isn't it common knowledge that it's important to keep all your software updated and patched, not least the OS?

Re:Help me out (0, Troll)

mingot (665080) | more than 7 years ago | (#19441677)

Ah. So google's researchers came to an obvious conclusion: The most popular operating system being run by people who can't be bothered to patch it is prone to being used to distribute malware.

Bravo.

Re:Help me out (2, Informative)

mhall119 (1035984) | more than 7 years ago | (#19443365)

Actually the research shows that despite Apache being the more popular web server, IIS had more instances of hosting malware.

Re:Help me out (2, Funny)

AKAImBatman (238306) | more than 7 years ago | (#19441687)

See! The same thing is going to happen to Macs and Linux as soon as they become popular! Because popularity means that these OSes will get pirated more. Which will lead to more infections of unpatched systems. Even though Linux is "free" (as in beer) and Mac OS X only works on legitimate Mac Hardware. Because free... and official hardware...

Wait...

What was I saying again?

Free as in beer? (1)

ericrost (1049312) | more than 7 years ago | (#19441819)

Why is Linux always referred to as free as in beer? It's GPL'd and there are distros (Debian anyone) that are free as in freedom to the core. Where does this come from?

Re:Free as in beer? (2, Informative)

Anonymous Coward | more than 7 years ago | (#19441885)

Because many of us think BSD is truely free, while the GPL imposes restrictions on what you can do with it, so isn't 'free' in our book. Different folks have different definitions of freedom. I'm sure yours is different than mine.

Re:Free as in beer? (2, Insightful)

ericrost (1049312) | more than 7 years ago | (#19442089)

The GPL doesn't restrict what you can DO with any piece of GPL'd code, it restricts you from restricting others from using your work in the same way you used the work of the thousands of developers who made the GNU system and the Linux kernel.

Share and share alike. Otherwise one bad apple spoils the freedom for everyone.

Re:Free as in beer? (0, Troll)

toadlife (301863) | more than 7 years ago | (#19442237)

The GPL doesn't restrict what you can DO with any piece of GPL'd code,
Can I take GPL code, modify it, and then sell the resulting product in binary form without disclosing the source?

No?

Then it looks like the GPL does in fact restrict what you can do with any piece of GPL'd code.

Re:Free as in beer? (1)

ericrost (1049312) | more than 7 years ago | (#19442657)

And that's an activity that it was designed to prevent because you shouldn't benefit from other's work without making your own available. Start with a blank codebase if you're going to do something like that.

If you wish to leverage other's work, you must play by their rules. What's Micorsoft's policy on using their source code?

Re:Free as in beer? (1)

Achromatic1978 (916097) | more than 7 years ago | (#19442917)

designed to prevent

from your previous:

free as in freedom to the core

You might want to ask for a dictionary for your birthday. These two statements are mutually exclusive.

Re:Free as in beer? (1)

ericrost (1049312) | more than 7 years ago | (#19442985)

And you might want to ask for a course in logic and manners.

Are the citizens of the United States (or any other free country) free? They have restrictions placed on them as to being able to commit murder, rob, steal, defraud. There are any number of activities a free person can not do because it restricts the freedom of another, equally deserving of freedom, person.

Yet still we call them free people. Hmm.. strange how that's similar to the idea of free software.

Re:Free as in beer? (1, Insightful)

Achromatic1978 (916097) | more than 7 years ago | (#19443215)

Whilst I could have phrased it more eloquently, you do realize there's an inherent irony in you championing how ultimate the freedom of the GPL is and every post after that explaining away and justifying all the ways in which it restricts freedom? Note though that I'm not claiming that there are good moral grounds for such restrictions, just that they are far from compatible with the statement - especially when one only needs to glance a few foot over to the BSD license to see what unrestricted freedom really is.

Re:Free as in beer? (1)

ericrost (1049312) | more than 7 years ago | (#19443417)

To me its the difference between freedom and anarchy. I don't believe that freedom without some protection from other's simply deciding to take that freedom away is freedom at all. Just because I'm at one end or the other of that stick doesn't change my view on it.

Free as in constitutional representative democracy vs Free as in anarchy then?

Re:Free as in beer? (-1, Troll)

toadlife (301863) | more than 7 years ago | (#19443877)

It is ironic how the GPL fanatics with mod-points rush in so quickly with the -1 troll mods to silence the truth about their sacred license.

Re:Free as in beer? (0)

Anonymous Coward | more than 7 years ago | (#19442623)

It does restrict what I can DO with the code. I can't hook my super-secret proprietary stuff into it's guts and release it as binary only form as my commercial product. I am 'forced' to release the source code. That does restrict what I can do with it. As I said, you and I have different defintions of freedom. Yours is not the same as mine. Deal with it.

Re:Free as in beer? (1)

ericrost (1049312) | more than 7 years ago | (#19442751)

It doesn't prevent you from accomplishing your goal of having a program that you can charge money to distribute and maintain to fulfill your customer's need of a task being done.

It does, however, protect the intentions of those people who worked to create that codebase that you wish to exploit. It protects that codebase that they made freely available from being used in a way that is not good for the software ecosystem as a whole.

If what you are providing is valuable, how you do it doesn't need to be a secret. You're mistaken that our definitions of freedom are different, its your frame of reference for freedom. You're looking for the "freedom to make others less free". If you make a parallel to American History, the Civil War made the South less free for Plantation owners, "deal with it".

Re:Free as in beer? (0)

Anonymous Coward | more than 7 years ago | (#19443291)

No, you are useing the communist definition of freedom. You are free to do things ONLY THIS WAY! Freedom means being free to do things your own way, weather or not others think that way is 'good', 'ethical', or 'right'. No one is harmed by someone branhing off proprietary code from a BSD project. Nothing is lost. The original BSD project is still there for all to use. But if someone wants to make a propietary version, they are FREE to do it. No one is forcing anyone to use the closed version rather than the open. No one is forcing anyone into slavery. Talk about strawmen arguements.

Re:Free as in beer? (1)

AKAImBatman (238306) | more than 7 years ago | (#19441987)

Because I was making a point? Specifically, that Linux is freely available to install, use, upgrade, and patch. Which would make the reason for the unpatched Windows machines (i.e. piracy) irrelevant. That's why the distinction was important in this case.

Oh, sorry. I was supposed to give the standard Slashdot response, wasn't I? Ok...

*WHOOOOSH!* :P

Re:Free as in beer? (1)

ericrost (1049312) | more than 7 years ago | (#19442053)

But Linux is also freely available to modify, make derivative works of, and redistribute, even for a cost. That's more free than beer.

Re:Free as in beer? (1)

lgarner (694957) | more than 7 years ago | (#19442217)

"Why is Linux always referred to as free as in beer? It's GPL'd and there are distros (Debian anyone) that are free as in freedom to the core. Where does this come from?"

and

"That's more free than beer."

Linux is free. As in beer. As in speech. As in do-whatever-you-want-with-it. I don't see why you would argue with someone who chooses to pick one to make a point. Failing to include every possible interpretation of something does not make one's statement incorrect.

That reminds me. It's also free as in choice.

Re:Free as in beer? (1)

ericrost (1049312) | more than 7 years ago | (#19442827)

Because it leaves the impression that it is ONLY free as in beer, which is incorrect. I've seen this point made before, and as the GP clearly indicates in his responses, he BELIEVES it is only free as in beer because a BSD license would be SO much better for GNU and Linux to release under.

It's disingenuous to use the terminology of the software freedom movement (who defined via the GPL what software freedom even was) to leave the impression that by those definitions an OS is licensed under more restrictive terms than it is.

Re:Free as in beer? (1)

ericrost (1049312) | more than 7 years ago | (#19442877)

Oops, mixed up the GP and the AC.

Re:Free as in beer? (1)

BlackSnake112 (912158) | more than 7 years ago | (#19443553)

they most likely crashed parties that had self serf kegs hence free beer (to them anyway)

Re:Help me out (1, Informative)

drinkypoo (153816) | more than 7 years ago | (#19441647)

Has IIS had any remotely exploitable holes since version 5?

yes [eeye.com]

Re:Help me out (2, Insightful)

Henry V .009 (518000) | more than 7 years ago | (#19442113)

That was a hole in version 5. Please try again. The question was: "Have there been any since version 5?"

Re:Help me out (1, Informative)

drinkypoo (153816) | more than 7 years ago | (#19442413)

That was a hole in version 5. Please try again. The question was: "Have there been any since version 5?"

Since, definition 1: "from then till now (often prec. by ever): He was elected in 1978 and has been president ever since." Dictionary.com FTW! [reference.com]

Perhaps you should learn to speak English before you criticize mine. I answered the question asked.

The word you people want is "after", not "since". As my friend Tom says, correct me if I'm wrong, but be damned sure I'm wrong.

Thank you, please drive through.

Re:Help me out (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19442709)

You're probably wrong. From the same link:
"From then until now or between then and now"

Which leaves ambiguity as to whether the endpoints are inclusive. So you will have to take it based on context. In this case, saying something like "There hasn't been a hole since version 5" implies that version 5 had a hole. So when you ask the related question, "Has there been an hole since version 5", it implies that the asker of the question knows there was a hole in version 5, and means to inquire as to whether there was one after.

After all, if your last traffic ticket was in 2001, and I ask you "have you gotten a traffic ticket since 2001?", do you say "Yes, I got one in 2001"?

I think everyone is pretty damned sure you're wrong in this case.

Re:Help me out (1)

Henry V .009 (518000) | more than 7 years ago | (#19442861)

You are inserting words that aren't there. You would be right if he had said "since the release of version 5." But he didn't say that. He said "since version 5."

So, no, I'm not the one who needs English lessons.

Re:Help me out (2, Informative)

kernelpanicked (882802) | more than 7 years ago | (#19443641)

No actually if you had read the link the other poster gave you, it affects 5 and 6. Now that I'm on Secunia I've got another link for ya. Total security advisories for IIS6 (3) http://secunia.com/product/1438 [secunia.com] . Impressive, but not nearly as perfect as you would like to think.

Re:Help me out (1)

forrestt (267374) | more than 7 years ago | (#19442151)

I'm the last one to defend Microsoft, but that is an exploit for version 5. The question was since version 5 (i.e. version 6).

He said SINCE 5 (0)

Anonymous Coward | more than 7 years ago | (#19442317)

And that link was SIX years old.

If that is the best Slashdot can do, It be safe to say IIS 6 is rock solid.

Re:Help me out (1)

d34thm0nk3y (653414) | more than 7 years ago | (#19442577)

That bug was from 6 years ago. If that is the best you can find MS must be doing a pretty good job.

Re:Help me out (2, Informative)

eli pabst (948845) | more than 7 years ago | (#19441655)

Has IIS had any remotely exploitable holes since version 5?

At least one in version 6:

http://secunia.com/advisories/21006/ [secunia.com]

Which is actually fairly impressive, but then again you'd really only need one remote vulnerability if you are trying to compromise completely unpatched systems.

Re:Help me out (1)

mingot (665080) | more than 7 years ago | (#19441739)

This requires uploading a maliciously constructed asp file to a directory where there is script execute privilege. If I can upload script and have it run on a web server (any web server) doesn't that mean I've already pretty much got her pants down?

Yes, you are missing something! (1)

uknowit (1108785) | more than 7 years ago | (#19441827)

see subject :)

Re:Help me out (1)

Florian Weimer (88405) | more than 7 years ago | (#19441969)

Has IIS had any remotely exploitable holes since version 5?

What about the WebDAV issue that was used to break into DoD systems just before the Iraq war?

Re:Help me out (1)

KarmaMB84 (743001) | more than 7 years ago | (#19442311)

I'll point to the *since version 5* part and also point out that they wouldn't have been likely to be using Windows 2003 before the Iraq war or using Windows XP for such a purpose... unless you have a link to clarify...

Re:Help me out (1)

Foofoobar (318279) | more than 7 years ago | (#19442143)

If the flesh eating virus attacks my hand and then has access to my arm as a result of the fact that my nervous system decided to give everything easy access to each other, then that arm desrves to get taken! CHOP THAT BABY OFF AND HEAD FOR THE NECK I SAY!!

If they wanted the apps to remain separate and sandboxed, they should have done so to begin with. Slap on the hand and one in the face to Microsoft for not doing so.

Re:Help me out (1)

GbrDead (702506) | more than 7 years ago | (#19443883)

So then you may run IIS on OpenBSD? No?
A security system is as strong as its weakest part, isn't it? Or am I missing something?

No kidding /sarc (3, Insightful)

N3WBI3 (595976) | more than 7 years ago | (#19441511)

The problem is anyone out there who can install windows services considers themselves a knowledgeable sys-admin. Sure there are technical reasons why LAMP tends to be more secure than IIS but more often than not it comes down to poor configuration (running unneeded services, poor network security, poor hardening standards), lazy maintenance (not checking logs, updating software), and a lack of understanding threats (not keeping up with cert).

Linus once said of Gnome that when you design assuming you're users are idiots in the end thats all the users your going to have. Find an experienced competent admin who has cut his teeth in the real world and not in a MCSE bootcamp and you should be ok.

Re:No kidding /sarc (4, Interesting)

porkThreeWays (895269) | more than 7 years ago | (#19442263)

I know everyone's going to start hating on you... but it's really true. The dirty little secret MS doesn't like to talk about in their TCO studies is that they usually rely on the fact Microsoft consultants make on average the least out of almost every consulting field. One study showed 30 dollars an hour! If you are paying your "experts" next to nothing how expert can they really be?

Your quote at the end really rings true. I have yet to meet an IIS admin whom understands the HTTP standards at all, let alone something as complex as debugging chunked encoding issues. If you can't telnet to port 80 and get usable output, you have no business being a web server administrator. However, the windows culture encourages quite the opposite. If you can't solve a problem with a wizard, does the problem actually exist?

So you blame the user again. (2, Insightful)

twitter (104583) | more than 7 years ago | (#19443257)

It's amazing how M$ security problems are always the user's fault when you ask a M$ person. Case in point, you blame the problem on ignorant, lazy and stupid users:

... it comes down to poor configuration (running unneeded services, poor network security, poor hardening standards), lazy maintenance (not checking logs, updating software), and a lack of understanding threats ... Find an experienced competent admin who has cut his teeth in the real world and not in a MCSE bootcamp and you should be ok.

I'm going to leave alone how you just called most M$ customers idiots. Why would consider someone lazy because they are forced to do all the work it takes to keep up a Windoze box?

What you don't mention is that most distributions have reasonable defaults for Apache because they can. In the free software world people are free to share ALL of their improvements and that includes configurations and updates. Of course, there's no such thing as a "pirated" GNU/Linux, which eliminates the problem Google identified.

As with desktop users, the only consistent trait and problem people with problems have is choosing the wrong OS. Software design, configuration, documentation and ease of upkeep are all inferior in the Windoze world - the user is screwed at every point. It's not their fault.

Re:So you blame the user again. (1)

N3WBI3 (595976) | more than 7 years ago | (#19443525)

It's amazing how M$ security problems are always the user's fault when you ask a M$ person. Case in point, you blame the problem on ignorant, lazy and stupid users:

Firstly I am not an MS person I am a Unix admin but in a previous job I did both (and hated every minute I had to support windows). Secondly I am not blaming users I am blaming *ADMINS* how need to be held to a much higher standard.

I'm going to leave alone how you just called most M$ customers idiots. Why would consider someone lazy because they are forced to do all the work it takes to keep up a Windoze box?

Thank you for leaving out something I did not say. I am talking about admins not users. $MY_EMPLOYER has 6000 users and about 100 admins for their various systems (Intel, Unix, DB, Desktop, Network, Sec, ....). Most people who can add a tool in the MS world consider themselves to be an admin (this is not a problem with the software per se') this is not culturally as true in the Unix sphere.

What you don't mention is that most distributions have reasonable defaults for Apache because they can. In the free software world people are free to share ALL of their improvements and that includes configurations and updates. Of course, there's no such thing as a "pirated" GNU/Linux, which eliminates the problem Google identified.

Hmm lets see... "Sure there are technical reasons why LAMP tends to be more secure than IIS" nope don't think I left that out I just did not dive into it because by in large its not the biggest problem. A properly hardened IIS7 server is not the swiss cheese many think of , its not all that bad.

As with desktop users, the only consistent trait and problem people with problems have is choosing the wrong OS. Software design, configuration, documentation and ease of upkeep are all inferior in the Windoze world - the user is screwed at every point. It's not their fault.

There is plenty of documentation out there for windows, and it can when used right be an acceptable tool and will likely not be hosting malware. Being careful is 99% of an admins job and thats true if you're on Windows, UNIX, OpenVMS, or anything else under the sun.

Re:So you blame the user again. (1)

dedazo (737510) | more than 7 years ago | (#19443795)

So let me see if I get this right. If I have a "Windoze" server I fail to patch and it gets p0wn'd then "M$" is to blame, correct? But if I'm running Linux and I have an OpenSSH exploit that I fail to patch, then... who is at fault? Me? Yours? The easter bunny?

I'm going to leave alone how you just called most M$ customers idiots.

Maybe that's because he didn't. Oh, wait. I see what you did there. That's very clever!!

Why would consider someone lazy because they are forced to do all the work it takes to keep up a Windoze box?

What is all this "work" you refer to? Simple post-imaging or out-of-the-box configuration? With mostly GUI tools or automated WMI scripts to disable services and change DCOM configuration settings and whatnot? A process that can be easily encapsulated in simple sets of scripts and executed again and again against new boxes? And heck, it's not like Server 2003 doesn't ship in lock down state as it is. Updates? Wow, super hard to schedule download, install and automatic reboot, if needed.

What you don't mention is that most distributions have reasonable defaults for Apache because they can.

Again, how is this different from Server 2003?

In the free software world people are free to share

Yeah, I've never seen a web site that provides free tested WMI scripts for servers. Never.

As with desktop users, the only consistent trait and problem people with problems have is choosing the wrong OS

Until now just about every instance of Linux or BSD out there that hasn't been rooted is run and maintained by people whose knowledge of computing is eons away from the average "Windoze" user. That's a simple fact. When your painful "M$ sux" evangelizing finally conquers the world and you inherit 400 million completely clueless people, we'll have a chat.

Re:So you blame the user again. (1)

WilliamSChips (793741) | more than 7 years ago | (#19443849)

So let me see if I get this right. If I have a "Windoze" server I fail to patch and it gets p0wn'd then "M$" is to blame, correct?
Well, considering that Microsoft has been denying many users the right to patch, yes.

But if I'm running Linux and I have an OpenSSH exploit that I fail to patch, then... who is at fault? Me? Yours? The easter bunny?
Well, your distribution should make it easy to update, and most fasttrack security updates, so either you or your distributor.

Re:No kidding /sarc (0)

Anonymous Coward | more than 7 years ago | (#19443751)

There are good admins and there are bad admins, many unix boxes out there haven't been updated in years.

I'd say in a general sense MS culture encourages click and forget approach while unix encourages you to dig deep and learn. But this is immaterial when you're talking about a negligent or grossly incompetent admin on either OS.

Re:No kidding /sarc (1)

N3WBI3 (595976) | more than 7 years ago | (#19443777)

But this is immaterial when you're talking about a negligent or grossly incompetent admin on either OS.

This is true my point was the proclivity of people to think click and forget is, in and of itself, not negligent by folks in the MS sphere.

We're in the information age (0)

Anonymous Coward | more than 7 years ago | (#19441533)

How can I tell? Because it's really easy to duplicate.

Nice dupe

Pirates (1)

Threni (635302) | more than 7 years ago | (#19441541)

> (Even pirated Windows versions can automatically receive security fixes, however.)

Well, the ones who either patched or didn't download the WGA fix, anyway.

Re:Pirates (1)

Paktu (1103861) | more than 7 years ago | (#19441651)

As long as you have automatic updates turned on, Microsoft will let you download Windows updates regardless of whether or not your copy is pirated. Er...not that I would know anything about that.

Re:Pirates (0)

Anonymous Coward | more than 7 years ago | (#19441877)

Incorrect. Even if WGA flags your copy of windows as not having a valid licence, you can still download all the security updates. There are only a few things that Windows Update require a valid licence to get, mainly IE7 and WMP11.

Of course, most recent pirated versions of windows use student volume licencing keys, and get past WGA just fine, so it's kinda moot.

Re:Pirates (0)

Anonymous Coward | more than 7 years ago | (#19442043)

You just have to uncheck the WGA updates. So yeah, you don't want to download the patches automatically.

Uh oh.. (1)

pak9rabid (1011935) | more than 7 years ago | (#19441565)

Those of you in the front row would be advised to watch for falling chairs.

Re:Uh oh.. (1)

hotdiggitydawg (881316) | more than 7 years ago | (#19442527)

Actually I'd say this is great PR for Microsoft.

Personally I thought it'd be much worse than just "twice" as bad. Maybe I've been buried under too much anti-MS FUD from reading Slashdot...

Big Surprise (4, Interesting)

ThinkFr33ly (902481) | more than 7 years ago | (#19441591)

First, there is not nearly enough information provided by Google to come to any real conclusions.

It could be that IIS is more likely to become infected than Apache and then be used to distribute malware, or it could be that malware purveyors are more likely to host their malware on IIS. Or it could be a combination of both.

They also fail to mention what versions of IIS we're talking about, as that makes a huge difference. IIS 5.x had more holes than a cubic mile of swiss cheese. IIS 6, on the other hand, appears to be rock solid [secunia.com] and actually has fewer vulnerabilities than Apache.

Second, the fact that Google is a direct competitor to Microsoft is an obvious reason to find their conclusions dubious, at best. They have plenty of reasons to bash Microsoft at every possible opportunity.

Re:Big Surprise (1)

mingot (665080) | more than 7 years ago | (#19441815)

Actually, 5 was pretty solid. I really think you need to get back to 4 for it to turn into shit.

Re:Big Surprise (2, Insightful)

daeg (828071) | more than 7 years ago | (#19443097)

When you compare IIS 6 to the comparable Apache version (2.2), they both have the same number of advisories [secunia.com] . Note that Apache 2.2 has an unpatched very low risk vulnerability when run on Windows. Interestingly, Apache supports more platforms yet has less bugs considering one of the three bugs only targets one operating system.

I don't question their results, although I'd suspect there are also a high number of Cpanel hosts slammed full of malware, too.

Oh no. (1)

u-bend (1095729) | more than 7 years ago | (#19441599)

Aahr. There be unpatched pirate servers here.

Re:Oh no. (0)

Anonymous Coward | more than 7 years ago | (#19441659)

Buttsecks?

Genuine question (2, Insightful)

feranick (858651) | more than 7 years ago | (#19441681)

Please don't flame me for this, it's a genuine question: Does Apache download and apply patches itself automatically? Or are sys administrators more careful and quicker to apply patches as soon as they are released?

Re:Genuine question (3, Interesting)

Nibbler999 (1101055) | more than 7 years ago | (#19441793)

Apache won't auto-update but the distribution (assuming linux here) will provide automatic updates if configured for it.

FUD (0)

hexed_2050 (841538) | more than 7 years ago | (#19441709)

It may be true, but it is in the name of FUD.

What are the motivations behind Google even doing this survey/report? Some will say because Google does no wrong and that they are doing it for the betterment of the web, but I smell a few ulterior motives. Hell, even the author of the article smells that same stench when he says, and I quote:

While I can't quibble with the data per se, I find it interesting that Google used this survey to promote Apache over an Internet product made by its chief competitor.

FUD

h

IIS is good stuff. (1)

jshriverWVU (810740) | more than 7 years ago | (#19441751)

I use it on a honeypot server, leaving linux and apache as my real machine.

Newsflash! (4, Insightful)

DrEldarion (114072) | more than 7 years ago | (#19441799)

Bad admins run bad servers!

Wouldn't have expected that one.

Slashdot sucks? (2, Insightful)

dedazo (737510) | more than 7 years ago | (#19441829)

Are the people who run Slashdot really this dumb? Or are they simply FUDing for ad impressions? They don't really care what the submission says, who is sending it or who initiated it, as long as it's juicy? What time is it? It's 2:00 PM?

Notice I placed a question mark after each one of my phrases so I cannot be held responsible for them. You know, just asking questions, like Fox News and their "Hillary Clinton turns tricks?" headlines.

Speaking of that, there's a hilarious Jon Stewart skit on YouTube about placing question marks after inflammatory statements that surprisingly enough targets Faux News, mostly. Might want to take a look at that? Thanks?

Re:Slashdot sucks? (0)

Anonymous Coward | more than 7 years ago | (#19442099)

Are the people who run Slashdot really this dumb? Or are they simply FUDing for ad impressions?

Why is it either/or? Why can't it be both?

Re:Slashdot sucks? (1)

PhxBlue (562201) | more than 7 years ago | (#19442167)

Are the people who run Slashdot really this dumb? Or are they simply FUDing for ad impressions?

You'll notice the editor who ran the story. 'Nuff said?

Re:Slashdot sucks? (0)

Anonymous Coward | more than 7 years ago | (#19442269)

find this one documentary, 'outfoxed'.. its fucking nuts. i've watched bill oriely for years, not daily, but whenever its on and im around. i dont agree with him 100%, but after seeing that documentary i was discombobulated. hes a fucking bastard. but if you think you are getting 'fair and balanced' news from ANY major network, you're duped. http://www.projectcensored.org/publications/2005/1 1.html [projectcensored.org]
 
they're all in on it. there is a great way to control people by setting them against eachother, so they never see their true enemy. america is a land of division. either you're left, or right, and if you're really really in the middle prepare to be hated by both ignorant sides. either you're a liberal, or a conservative, either you watch cnn, or you watch fox. we're all so divided on the most trivial shit like gay marriage, when the biggest issues, like, for example, the heist the 'federal' reserve pulls is smokescreened and ignored.
 
after the virginia tech shooting i saw orielly, and he was all ragging on rosie odonnell about the gun control issue, and he said 'another gun law wont prevent these crimes' and i agree with him there, but it made me sigh because even though he sees that, and acknowledges that, he's the kind of guy that thinks more anti-terror laws will stop terrorism. such a blind misled stance, it is.

Re:Slashdot sucks? (1)

suv4x4 (956391) | more than 7 years ago | (#19443255)

Notice I placed a question mark after each one of my phrases so I cannot be held responsible for them. You know, just asking questions, like Fox News and their "Hillary Clinton turns tricks?" headlines.

I'm running a macro when I visit slashdot that replaces "?" with "(of course this is total bullshit and we know it)."

Missing marketing move - (1)

RichMan (8097) | more than 7 years ago | (#19441841)

So how much would operating system vendors have to pay the firewall/viris scanner people to add a feature to the firewalls that clearly identified the operating system and web server of the site that was attempting to download a viris/keylogger.

Envision this pop up with appropriatly named guilty parties.
---
Alert: WebServer: MosaicC64 running on AmigaOS_1.5.6 is attempting to infect your computer !!
Anti-Viris-Firewall: Bad Application (XXPdeleteAllYourStuff) found in web stream from site
all.bad.stuff.com: Blocked.

Probably XP Pro (2, Insightful)

jafiwam (310805) | more than 7 years ago | (#19441891)

This is probably XP Pro machines that get infected by means other than the webserver.

Once someone has control, they can pretty easily start the service and stick malicious files in the default root in IIS.

You don't need a remote hole to get numbers like this.

It made be hard to get patches for pirated windows (1, Funny)

Anonymous Coward | more than 7 years ago | (#19441925)

...but it is IMPOSSIBLE to get patches for a pirated copy of Apache.

I doubt anyone on Slashdot can prove they did it even with the most leet of cracking skillz.

It may be reckless to run pirated IIS, but it is simply gross negligence to run pirated Apache.

Re:It made be hard to get patches for pirated wind (1)

WilliamSChips (793741) | more than 7 years ago | (#19443699)

That's funny, because I got patches for every single pirated Apache server I own!

49/49 (3, Informative)

jshriverWVU (810740) | more than 7 years ago | (#19441947)

If you look at the actual article, it shows an even split. 49% IIS 49% Apache 2% other:

Pie Graph [blogger.com]

Re:49/49 (4, Insightful)

sqlrob (173498) | more than 7 years ago | (#19442057)

The instances were evenly split, but since Apache is more common that IIS, you should see more Apache.

Re:49/49 (1)

Timesprout (579035) | more than 7 years ago | (#19442285)

Yay, someone who actually read the article and noticed that yet another Slashdot story is deliberately misleading. No big surprise there. If anyone cares to look of the 70,000 domains distributing malware 49% were IIS and 49% were Apache. The "twice as likely" is pure spin based on overall market share and presumably designed to hide the fact that Apache is being used to push out just as much malware as IIS.

Pirates believe in usability, not deactivation (1)

icepick72 (834363) | more than 7 years ago | (#19442037)

From what I've seen users who pirate software (like IIS) are not so interested in patching even if the option is available. It's usually not for running production-level hosting anyway. They're just happy the pirated software works and don't want to "rock the boat" so to speak in case a Microsoft patch would detect and deactivate that software.


However when said user is frustrated because of inability to use a specific feature of the pirated IIS software then they go looking for patches, service packs and such. More often than not they use a newer pirated version on their development/testing workstation/server.

Who would of thought? (2, Interesting)

notlightnorchroma (1084935) | more than 7 years ago | (#19442081)

I work for a company that identifies hacked sites that house phishing attacks. We have analyzed tens of thousands of sites. It was a surprise to me, but over 90% of hacked sites out there are running Linux/Apache -- not Windows/IIS as most people would suspect. The problem is that there are too many people out there install the free version of open source software, but don't have the ability to apply the patches. Since known vulnerabilities are well documented and kits exists to scan these weaknesses, Linux/Apache gets hacked.

Re:Who would of thought? (1)

Ash-Fox (726320) | more than 7 years ago | (#19442789)

I work for a company that identifies hacked sites that house phishing attacks. We have analyzed tens of thousands of sites. It was a surprise to me, but over 90% of hacked sites out there are running Linux/Apache -- not Windows/IIS as most people would suspect.
Yes, but the exploit was likely not the Linux/Apache combo, but something else like say... Insecure PHP scripts.

Re:Who would of thought? (1)

notlightnorchroma (1084935) | more than 7 years ago | (#19443579)

Yes, but the exploit was likely not the Linux/Apache combo, but something else like say... Insecure PHP scripts.
Not only do we identify hacked sites, but we have an incident response team that works with hosting companies, ISPs, domain registrars, and peering points to prevent consumers from reaching these sites. Often the owner of the computer will provide us forensics for further investigation. You'd be surprised how many of the exploits are not insecure PHP scripts, but simple root kit attacks. Unfortunately, this site has too many Microsoft haters to discuss web security without bias. I just thought I would provide real evidence that might allow them to make informed statements.

Re:Who would of thought? (1)

WilliamSChips (793741) | more than 7 years ago | (#19443773)

I'm pretty convinced you don't know what you're talking about now, because a rootkit cannot exploit a system on its own, by the very definition of a rootkit. A rootkit usually requires an existing root account, and attaches a 'hook' into the system to allow the cracker to regain root access. Rootkits perpetuate attacks, they don't start them. Considering you don't know what a rootkit is, I'm calling into question the honesty of the rest of your evidence.

Re:Who would of thought? (1)

RedElf (249078) | more than 7 years ago | (#19443067)

We have analyzed tens of thousands of sites. It was a surprise to me, but over 90% of hacked sites out there are running Linux/Apache -- not Windows/IIS as most people would suspect.
This falls right in line with the evidence in numerous log files over the past couple years of exploited machines attacking my firewalls.

"... would of thought"? (0)

Anonymous Coward | more than 7 years ago | (#19443179)

Sorry, can't take you seriously.

Fair Use (1)

huckamania (533052) | more than 7 years ago | (#19442171)

You don't have to visit their sites and if you do, they are perfectly within their rights to distribute anything they wish, so long as they keep the copyright intact and provide updates. Unless they are using a BSD license.

Google starts the anti-MS PR machine (0)

Anonymous Coward | more than 7 years ago | (#19442247)

1. Since there are many more than twice the number of Internet-connected Windows machines on the planet vs Linux, there's a lot more than twice the opportunity to use a vulnerability to own the machine, start IIS, and distribute whatever you want on it. If this is the main disitribution method for malware, the 2x figure is a compliment to Microsoft.

2. Or if we're talking about sites that intentionally distribute malware, what does the choice of server have to do with the quality of IIS vs Apache? Gun A's manufacturer is not more evil than gun B's simply because A is the choice for hardened criminals. Fact is, Windows/IIS is easier to set up for fly-by-nights with minimal knowledge than Linux/Apache, whether that's Mother Teresa or Russian Mafia. Again, we have a compliment for Microsoft warped into a criticism.

Nice FUD, but try harder next time. Thankfully, Microsoft will have no trouble poking holes in Google's "do no evil" claim, should a PR war begin. Quick, quick, create another new beta service, Google, to distract the fanboys from the fact that, since 1997, you've not actually done much more than copy or purchase!

Re:Google starts the anti-MS PR machine (0, Troll)

pavera (320634) | more than 7 years ago | (#19442629)

1) According to netcraft there are many more apache installs (almost 2 to 1) than IIS installs on the internet.

2) Most malware distribution occurs from hacked sites. If you build your own web server and host malware on it, it is much easier for someone to find you and prosecute you. If you hack thousands of computers and let them distribute your malware, there is at least 1 level of indirection that someone must follow to find you. I doubt very many malware distributors set stuff up on their own servers, and if they do, they are either using pirated windows copies (as stated in the article) or a free unix variant, malware distributors don't have million dollar IT budgets.

As for your last point, what has MS created? EVER? Windows 3.1 cheap, crappy Mac OS clone, Office cheap crappy word perfect clone, Windows 95, another try to clone Mac OS. IE? netscape clone.

MS should go down in history not for being a monopoly, not for making good software, but as the largest company ever to be so completely incompetent at R&D and innovation. Even AT&T at its height was creating new things, useful things that people still use today. IBM, same thing. These huge monopolies of yore at least lived up to what monopolies are supposed to do. In an economic sense, monopolies charge higher prices, but they are supposed to take that added profit and plow it into R&D to maintain their dominant position and continually keep would be entrants at a disadvantage. Most of the huge monopolies of the 1900's (including AT&T and IBM) lived up to this. MS fails this test miserably. They take their excess profits and give a one time 30 billion dollar dividend? What kind of crap is that, hire 10,000 programmers for 5 years and see what they come up with. That move right there says either MS thinks there is absolutely nothing in computing that needs to be solved or figured out (completely impossible), or b that they admit they are completely incompetent at R&D and give up on trying to make something new and innovative.

Version of IIS? (2, Interesting)

leather_helmet (887398) | more than 7 years ago | (#19442433)

Agreed with the other posts that IIS 5.x was rather shitty and was a lot more vulnerable than Apache, etc.

With the release of IIS 6, security was significantly improved & according to various stats out there, IIS 6 is actually stronger than Apache in a lot of areas. We are running IIS & have had several intrusion attempts but our systems have been pretty solid; Humble admission, we did get hacked once but it was our negligence more than anything else.

Having admin'ed both Apache and IIS servers, IIS has treated us well, with a properly configured firewall and auto-patching servers, IIS is rock solid

Re:Version of IIS? (1)

Stormcrow309 (590240) | more than 7 years ago | (#19443133)

I would agree with you. Our only intrusion breach was a zero-day apache.

Admin or the machine, who is the weak link? (1)

cyfer2000 (548592) | more than 7 years ago | (#19442495)

I think the research really mean is the administrators behind those softwares are the weak links, not the software. Those bad administrators use pirated windows servers and refuse to update are the most dangerous and damaging guys around.

Pirated? (1)

KarmaMB84 (743001) | more than 7 years ago | (#19442503)

So a bunch of thugs pirate Windows and start serving malware via IIS? So how do we know the discs they installed with weren't pre-infected with malware or that they didn't INTENTIONALLY put up servers for the purpose of serving malware? This story is coming from a competitor of Microsoft who has every reason to bash their products. It is probably a total crock anyway.

This is slashdot isn't it? (2, Insightful)

angelasmark (856143) | more than 7 years ago | (#19442741)

What with the lack of MS hate? Is google on the shitlist now too or something? I haven't seen so many comments bashing an article that pokes at MS ever...

Re:This is slashdot isn't it? (0)

Anonymous Coward | more than 7 years ago | (#19443831)

I guess even the most fanatical slashdot hate can occasionally give way to logic and reason*.

I never thought I'd see the day. Gives me hope!

*well, either that or Twitter was just out sick today.

Remember... (0)

Anonymous Coward | more than 7 years ago | (#19443017)

Correlation =/= causation.

Shouldn't be a surprise but for other reasons (2, Interesting)

JohnnyComeLately (725958) | more than 7 years ago | (#19443543)

The fact they're IIS and pirated seems to be moot, the point is many people just don't feel like "proving" to M$ that their version isn't pirated and give up trying to do security updates. I have one computer, out of about 9 or 10 I own at home, that has XP loaded on it. When I put it online and try to patch it, it does it's "Authenticity Check" and fails saying it was not a valid install. I know I bought a copy of XP specifically for this computer since it was for a businesses' use (and hence, tax deductible as an expense). Since it's never going to be on-line I said, "Screw it" and didn't bother with trying to update it. I'm sure many home owners are in the same boat...except they keep it online.

Maybe they'll come around like they did on Win2K. They said they stopped supporting updates and I noticed no nags on my laptop for a really long time...lately I've noticed M$ is pushing security updates to it again. This is a computer I almost pulled from the "on line" array when it got infected twice by MySpace and YouTube....but I got it cleaned up through a few programs and a couple hours...

In related news... (0, Offtopic)

ScentCone (795499) | more than 7 years ago | (#19443895)

... stolen cars are much more likely to be carrying Bad Guys, smoke detectors owned by people who never check the batteries are less likely to notice a fire burning, and people who never cut their grass are more likely to harbor rodents and snakes. In-freakin'-sightful, I say!

Yeesh.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>