Partager via


Follow-up on IIS6 and Apache Security

Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall into four groups:

  1. Perhaps the security work you guys are doing is paying off?!
  2. No way can this be true, you work for Microsoft, so how can you be unbiased?
  3. What about Apache 1.3.x?
  4. Does this include SSL?

Let me answer each in turn.

  1. Yes, I think so, we’re seeing the same trend across other Microsoft products too – but more on that another day.
  2. These are not Microsoft figures; they are maintained by an independent company, Secunia, who track numerous companies.
  3. This needs a section by itself, see below.
  4. This one was interesting, so what about SSL? This needs a whole section by itself too.

First, item (3) Apache 1.3.x.

I wasn’t interested in looking at 1.3 because 2.0 has been out for but some time now (https://www.apacheweek.com/features/ap2) but some think I should, so here are the IIS6 and Apache 1.3.x stats, side by side:

 

While we're at it, here are the IIS5 figures in the same time period:

 

Now that’s out of the way, let’s look at item (4) the SSL story.

Microsoft issued a security update, MS04-011 (https://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx) in Feb04 for Windows, which included a bug fix for Private Comms Technology (PCT). PCT was released just after SSL2 to fix a number of defects in the protocol, these were then fixed in SSL3. PCT also support strong crypto for finanical orgs and was enabled by default on all platforms except Windows Server 2003 and Windows XP SP2. So chances are very good if you’re running a new Windows Server 2003 box, you’re not vulnerable because the code path is not exposed by default. So it’s a low pri bug. That said, let’s call it three security bugs related to IIS6.

Now let’s look at Apache2, plus OpenSSL 0.9.x (will there be an OpenSSL 1.0? It's been 0.9.x since 23-Dec-1998!) because mod_ssl uses OpenSSL:

Remember, these are NOT my figures, these are from third party security company, Secunia.

Comments

  • Anonymous
    October 18, 2004
    >>I got a ton of email from all over the place about my last blog entry...<<

    All those questions reminded me of the same responses from the J2EE community after the MiddleWare Company published the benckmarks on the Pet Store implementation with J2EE and .NET.

    Good job, Michael!

  • Anonymous
    October 18, 2004
    Whilst those stats do indeed look bad for Apache lets not forget that it's an open source project with many eyeballs on the code (I'm not saying that there aren't many MS Eyeballs on IIS's code). I would expect a large proportion of those vulnerabilities to have been discovered by looking through the code rather than by other nefarious means. However, for a third party to discover a vulnerability in IIS they would have to have done it blind - this is often orders of magnitute harder.

    You also don't specify the type of advisories. For instance, some of the bugs found in certain tools such as openSSH are very subtle and/or only theoretical, are they those sorts of bugs or your common garden buffer overflow?

    This is the problem with statistics, if someones not bending the truth with them, they're not going deep enough and end up comparing apples to oranges.

  • Anonymous
    October 18, 2004
    quoted here verbatim:

    "Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and is therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important."

  • Anonymous
    October 18, 2004
    On the very same page from which you took the graphs, secunia asks you not to use the statistics for comparison. Is this a new variant of the "Get the facts" campaign?

  • Anonymous
    October 18, 2004
    It seems that the Apache team has some work to do in nailing down the 2.0.x series. Given that Netcraft says that Apache has 2/3 of the public web server market [1], do you have any theories as to why the worms [2] that attacked IIS caused so many network issues, while there are few (if any) major worms against Apache?

    While the number of advisories / possible security issues is not necessarilly an indication of the security of a product, it does show a number of possible vectors for attach. If there are (theoreticaly) more vectors against Apache (and it has more 'market share'), it's a bit surprising that it doesn't have many worms.

    P.S. Would it be possible to have a "preview" button for comment posts?

    [1] http://news.netcraft.com/archives/web_server_survey.html
    [2] http://www.viruslibrary.com/virusinfo/InternetInformationServers(IIS)Worms.htm

  • Anonymous
    October 18, 2004
    In those graphs I can see Apache fixed much more security holes then MS team that found none. No wonder if you compare number of programmers that can look into both sources. This means MS team left holes to be found by hackers of the world.

  • Anonymous
    October 18, 2004
    In those graphs I can see Apache fixed much more security holes then MS team that found none. No wonder if you compare number of programmers that can look into both sources. This means MS team left holes to be found by hackers of the world.

  • Anonymous
    October 18, 2004
    <i>"On the very same page from which you took the graphs, secunia asks you not to use the statistics for comparison."</i>

    But it's still interesting to make the comparison. That is just Secunia's own disclaimer, which has little bearing on the data, or the analysis thereof.

  • Anonymous
    October 18, 2004
    The comment has been removed

  • Anonymous
    October 18, 2004
    Nowhere do you show how long it took for Apache F. to fix the issues vs. how long it took Microsft. I would like to see those figures as well.

  • Anonymous
    October 18, 2004
    The comment has been removed

  • Anonymous
    October 18, 2004
    Microsoft uses OpenSSL? Do you have a reference?

  • Anonymous
    October 18, 2004
    "But it's still interesting to make the comparison. "
    It's as interesting as the statistics from "Get the facts" and Slashdot polls.

  • Anonymous
    October 19, 2004
    "But it's still interesting to make the comparison. That is just Secunia's own disclaimer, which has little bearing on the data, or the analysis thereof."

    Really? So you'll take Secunia's word for the statistics, but not for the disclaimer, even though the disclaimer disclaims those very same statistics? It must be nice to be capable of such a selective belief system.

    Unless you mean "interesting to make the comparison" in the sense that it's interesting that so many people are blindly accepting a comparison that is obviously flawed...

  • Anonymous
    October 19, 2004
    There was an interesting comment by David Magda about having less worms (none?) attacking Apache, even with many vulnerabilties.

    One factor, I believe, is the heterogeneity of the platforms where Apache runs. Causing a buffer overflow on Apache is certainly possible; but if Apache whas compiled with a different compiler, or different optimization or a different make file; using different modules, your buffer overflow might crash it, but making it "just right" to get control is nearly impossible. That's one advantage of distributing source instead of binaries.

    With IIS, there are maybe 10 versions out there? It becomes possible (long and tedious, maybe, but still possible) to test your exploit code on those version and tweak it so that it works on most if not all.

    Another mitigating factor is that Apache generally runs as a limited uses (at least on Unix-y platforms) and you can't always get root privilege from exploiting Apache (or it's a lot more work) and it'll only work on 2-3% of the installed base because of the heterogeneous setups.

    Exploit IIS (or most other services) on windows, and you generally get the LocalSystem account which has more access than Administrator.

    I hope IIS6 has stopped this tradition, but for IIS4 and 5, I distinctly remember they ran under the localsystem account.

  • Anonymous
    October 19, 2004
    I could be wrong, but I've given to understand that reasonable-sized portions of IIS6 actually run in-kernel, whilst running Apache as root (as Guy says) is rare, to say the least.

    To run Apache as root you have to go out of your way to do it - the default configuration drops privileges as soon as sockets are opened, and just about every distribution of any OS which includes Apache sensibly sticks with that.

  • Anonymous
    October 19, 2004
    The comment has been removed

  • Anonymous
    October 19, 2004
    IIS vs Apache http://dotnetjunkies.com/weblog/stefandemetz/posts/10388.aspx
    IIS 6 http://dotnetjunkies.com/weblog/stefandemetz/posts/27720.aspx
    MSSQL vs MySQL http://dotnetjunkies.com/weblog/stefandemetz/posts/28280.aspx
    ASP.NET vs PHP http://dotnetjunkies.com/weblog/stefandemetz/posts/10465.aspx

  • Anonymous
    October 19, 2004
    >>reasonable-sized portions of IIS6 actually run in-kernel,

    In kernel, yes, reasonable-size, no. there's a very small routing stub called https.sys which routes to the appropriate least priv worker process, and that's it. think tux :)

  • Anonymous
    October 20, 2004
    Why you only look simple bugs considered as vulnerabilities, while some architectural issues are forcing trade offs to be done. There are bigger issues to tackle with than simple vulnerabilities

  • Anonymous
    October 22, 2004
    The comment has been removed

  • Anonymous
    October 22, 2004
    Everyone can voice their opinion! But facts help more than opinion.

  • Anonymous
    October 23, 2004
    Everyone can make facts look for their benefit as well. Also, do you really assume that all the bugs found on Windows are made public? And that they are told to Microsoft?

  • Anonymous
    October 23, 2004
    >>Also, do you really assume that all the bugs found on Windows are made public? And that they are told to Microsoft?

    Ditto the whole industry, including Open Source!

  • Anonymous
    October 23, 2004
    Hi,

    Seems creating a lengthy discussions. :)

    How would you think figures would look, if the security bugs fixed silently by Microsoft would actually be published?

    With Open Source it is harder to fix anything without telling something, which is also an element with creating trust.

    -T

  • Anonymous
    October 25, 2004
    Read this: http://lwn.net/Articles/64400/

    "Here in the free software world, we had no shortage of security problems in 2003. Vulnerabilities were announced in many packages, including <snip> Needless to say, that is far too many - and it does not count all of the problems which were silently fixed without going though a security alert process. As a community, we have to strive to do better in 2004."

  • Anonymous
    October 28, 2004
    That is acknowledging that silent fixes happen, but do not tell if they have been actually security problems.
    MS hasn't done that, MS has fixed security problems silently.

  • Anonymous
    October 28, 2004
    You bet the open source folks fix security bugs silently! Read the article:

    "it does not count all of the problems which were silently fixed without going though a security alert process"

    What kinds of bugs are "fixed without going though a security alert process"??

    Security bugs!

  • Anonymous
    October 30, 2004
    Or the bugs are not exploitable and thus not considered to be worthy to go through security alert process?

    Also, as more important point than you constantly not answering to question;

    Why you are trying to point the finger to another direction and not replying to the original point by actually answering to it - MS has fixed exploitable bugs silently which are not told on the advisories? Yes/No?

    Also, Open Source is not just Linux and being a zealot. I am not a Linux user :)

  • Anonymous
    October 31, 2004
    The comment has been removed

  • Anonymous
    November 08, 2004
    re: the question of fixing security bugs outside of security bulletins. Yes, security fixes are also provided in service packs. Usually, all the security updates that were released with a bulletin for a product up until that point are included in the next service pack for that product. We also include any other security fixes that required the significant level of testing that a service pack offers, or had minimal impact to the system.

  • Anonymous
    May 31, 2009
    PingBack from http://woodtvstand.info/story.php?id=3875

  • Anonymous
    June 01, 2009
    PingBack from http://portablegreenhousesite.info/story.php?id=12194

  • Anonymous
    June 13, 2009
    PingBack from http://gardenstatuesgalore.info/story.php?id=871