A few days ago I decided to look into how IIS6 has faired security-wise since its release well over a year ago. But I didn't want to use Microsoft figures; I wanted to use other figures. This led me to Secunia.com as they have a very nice Web site tracking vulnerability counts in different products. The reason I wanted to use non-Msft figures is because I wanted to see how IIS6 faired versus Apache 2.0.
So why did I chose Secunia? Well, they don’t issue advisories, they simply reflect the vendor advisories, and in some instances “rumblings in the marketplace.” There is a downside to the site too, as some vendors don’t patch so they may look better on Secunia. However, both Microsoft and Apache have good advisory records, so the data is useful.
Why did I choose IIS6? Because IIS5 was the subject of a good deal of criticism:
Sep 25, 2001. “Gartner Recommends Against Microsoft IIS” http://www.eweek.com/article2/0%2C1759%2C1240915%2C00.asp
The figures are interesting to say the least.
By the way, I looked into the two bugs, the one in 2004 is the subject of a KB article, http://support.microsoft.com/?id=834452, and the one in 2003 is very low priv, as it's admin acces only, requires SSL, and is not installed by default.