IIS6 vs Apache2 Security Defects

re: IIS6 vs Apache2 Security Defects

Mike Dimmick — Sat, 16 Oct 2004 10:16:00 GMT

Speaking of SSL, MS04-011 contained issues that impact an SSL web server. The Apache statistics you've quoted do include mod_ssl vulnerabilities, so you should really include MS04-011 in your IIS 6.0 statistics if you're going to compare like with like. Similarly, you just released MS04-030 which affects WebDAV.

In fact, you probably ought to be comparing against Apache 1.3.x, not 2.0.x. It seems that a large number of sites are still using 1.3.x versions rather than 2.0.x. Netcraft's surveys don't break out 2.x versus 1.x - Port80Software's last survey, of Fortune 1000 companies in June 2004, showed about a 6:1 ratio of 1.3.x to 2.0.x for the versions shown (http://www.port80software.com/surveys/top1000webservers/)

An administrator still has to consider which services he/she has installed and enabled on a given server. But I will agree that IIS 6.0 is a big improvement on IIS 5.x; Apache 2.0.x seems to have gone in the wrong direction.

re: IIS6 vs Apache2 Security Defects

Michael Howard — Sun, 17 Oct 2004 04:50:00 GMT

Actually, the stats **don't** include mod_ssl, nor OpenSSL - this week I'll add those stats too.

Also, I wanted to look at IIS6 and Apache2 because they are the latest, and should reflect the state of the art. Also, it's the default install in many Linux dists.

re: IIS6 vs Apache2 Security Defects

jake — Sun, 17 Oct 2004 05:34:00 GMT

What about compared to apache 1.3.* which is the version most websites use.

re: IIS6 vs Apache2 Security Defects

stefandemetz — Mon, 18 Oct 2004 07:27:00 GMT

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/30/10388.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/05/27720.aspx

IIS vs Apache vulnerabilities chart.

Larry Osterman's WebLog — Mon, 18 Oct 2004 23:16:00 GMT

re: IIS6 vs Apache2 Security Defects

Guy Gervais — Tue, 19 Oct 2004 00:31:00 GMT

Some of the bugs that affect Apache are platform specific (I remember seeing advisories that mentioned linux, but not the Win32 version); comparing to IIS should probably be done only using the win32 Apache version.

And it could also be a matter of "too little, too late" for Microsoft. Having been burned (badly) by IIS4 and 5; many sites have migrated to Apache/PHP and probably won't migrate back to IIS/ASP.

I haven't tried IIS6 (and have no plan to do so either), but another advantage that became clear with Apache is the ease of administering a server farm of Apache server. Since the configuration files are all text, it's easy to script changes across 20 or 30 servers. With IIS, we had to go from server to server and reapply the same changes using the UI.

re: IIS6 vs Apache2 Security Defects

Pavel Lebedinsky — Tue, 19 Oct 2004 05:30:00 GMT

> Since the configuration files are all text, it's easy to script changes across 20 or 30 servers.

In IIS6 the metabase can be edited as a text (XML) file.

> With IIS, we had to go from server to server and reapply the same changes using the UI.

Ever heard of ADSI?

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/using_adsi_to_configure_iis.asp

re: IIS6 vs Apache2 Security Defects

Michael Howard — Tue, 19 Oct 2004 05:46:00 GMT

Guy, I had a look at all the security bugs in Apache 2.0.x (http://www.apacheweek.com/features/security-20) and saw a small number that were platform specific:

2.0.49 CAN-2004-0174 in AIX, Solaris, Tru64
2.0.44 CVE-2003-0016 in Windows
2.0.40 CAN-2002-0661 in Windows, OS2, Netware and Cygwin

Two of them lie within the 2003/2004 timeframe of Secunia's records, so that means IIS6 had 2 security issues, and Apache had 18.

IIS 6 & Apache

sysadmin field notes — Tue, 19 Oct 2004 10:44:00 GMT

A comment on this article on Michael Howard's web log, IIS6 vs Apache2 Security Defects, got me thinking a bit about the differences between the windows way and the "unix way" (for lack of better terms). I'm only sort of...

re: IIS6 vs Apache2 Security Defects

Shaf Simpson — Tue, 19 Oct 2004 07:55:00 GMT

I help run a web farm of 70 IIS5 + 6 servers - we script all changes to them remotely using VBScript...plus if you were in an environment with even more servers then you should look at AppCenter - it will sync the config of hundreds of servers in one fell swoop.

IIS vs. Apache ?

Server: Microsoft-IIS/6.0\r\n — Tue, 19 Oct 2004 11:44:00 GMT

re: IIS6 vs Apache2 Security Defects

Martin — Tue, 19 Oct 2004 12:37:00 GMT

Why should I study how to manage a farm of IIS6?

With text-based config files I can use the tools I like: bash, perl/ruby, etc. to manage ALL SERVICES on ALL SERVERS.

Don't care if it's http, ftp or whatever, I use the same tools all the time.

And what if with IIS7 the M$ says you should do it changes? Will I have to throw away my tools?

With text-based config files the principles stay. Why changing things that work?

With So Few Vulnerabilites, You'd Think They'd Be Fixed By Now

Randy Wilson — Tue, 19 Oct 2004 13:56:00 GMT

IIS 6, 3 vulnerabilities, 1 patched, 2 still open.

Apache 2, 22 vulnerabilities, 21 patched, 1 still open.

re: IIS6 vs Apache2 Security Defects

Brandon Paddock — Tue, 19 Oct 2004 14:36:00 GMT

"Why should I study how to manage a farm of IIS6?"

At some point you had to learn how to manage an Apache server. That is, if you truly know how.

Of course, the level of "study" required will very from person to person.

But as was said above, you can configure the IIS metabase as text as well.

If text-based and CLI is really important to you, I suggest you check out channel 9's recent video about Monad - Microsoft's next-gen command shell (msh). I've always liked bash/tcsh, but msh is way beyond those.

re: re: IIS6 vs Apache2 Security Defects

Linear — Tue, 19 Oct 2004 16:09:00 GMT

<i> I've always liked bash/tcsh, but msh is way beyond those. </i>

Now, CLI killer is really fun. Shell is powerfull when you have zillions of little cli applications that can work togather. This is case in Linux but not in Win. Shell alone is of no use no metter how "smart" it is. Anyway, I just don't get it what can be so much improved in shell?

IIS6 vs Apache discussion

A blog to the tune of James — Tue, 19 Oct 2004 19:29:00 GMT

IIS vs Apache Security

Dana Epp's ramblings at the Sanctuary — Tue, 19 Oct 2004 21:48:00 GMT

Michael posted an interesting article comparing the defects of IIS6 against those of Apache 2. The results? See for yourself: Michael followed up with a second post, taking care of 4 major comments from people who saw the original post, which included: Perhaps the security work you guys are doing is paying off?! No way can this be true, you work for Microsoft, so how can you be unbiased? What about Apache 1.3.x? Does this include SSL? The first comment makes sense. Since SD3+C has been pushed on campus, we are seeing a lot of postive changes in the attack surface and defect levels of newer product. Thats a good thing. (Go ahead Martha... sue me from jail) The second comment is typical FUD deflection. Secunia is its own company, and not impacted or have research enforced by Microsoft. If anything, sometimes their reports are very critical of Microsoft... as they should be. The third comment is interesting. People want to always compare apples to oranges, not giving a fair comparision. They do this at the OS level all the time. Lets compare the latest of both when doing such analysis. But in case thats not a good enough reason for you, you can look at the difference, comparing against Apache 1.3x: The final comment was about SSL. I was suprised people would want to open this can of worms with all the recent OpenSSL issues. Michael pointed out some interesting stats on that as well. Quoting his view on this: Microsoft issued a security update, MS04-011 (http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx) in Feb04 for Windows, which included a bug fix for Private Comms Technology (PCT). PCT was released just after SSL2 to fix a number of defects in the protocol, these were then fixed in SSL3. PCT also support strong crypto for finanical orgs and was enabled by default on all platforms except Windows Server 2003 and Windows XP SP2. So chances are very good if youre running a new Windows Server 2003 box, youre not vulnerable because the code path is not exposed by default. So its a low pri bug. That said, lets call it three security bugs related to IIS6." Now lets look at Apache2, plus OpenSSL 0.9.x because mod_ssl uses OpenSSL: Some interesting findings. As an Apache fan I don't like to admit it, but IIS6 has come a long way....

re: IIS6 vs Apache2 Security Defects

Guy Gervais — Tue, 19 Oct 2004 19:25:00 GMT

Pavel / Brandon:

XML for IIS6 is nice, but it still isn't as simple as a good old text file.

The point, and I think that's the same one Martin was making is that with text files, you can use simple, well-know tools (grep, sed, awk, perl... whatever) to process the config files. You still have to learn the syntax of the file itself, but you can administer any service using the same techniques and tools.

While checking out ADSI, I saw that there are 4 different methods that allow you to administer IIS (and I'm not sure what tools work with what version). Will those tools also work with SQL server? With ISA server? Exchange? Third-party vendors...?

The point, again, is to keep it simple. It's enough to learn the syntax of the file to configurer the server without having to learn yet another technology-du-jour to configure it.

Back on topic: If Microsoft is finally "getting" security and putting it first before bells, whistles, doodads and eye-candy; well I, for one am very happy.

You still have work to do to make us forget this: http://radsoft.net/resources/rants/20011102,00.html

re: IIS6 vs Apache2 Security Defects

Michael Howard — Tue, 19 Oct 2004 19:30:00 GMT

>>You still have work to do to make us forget this: http://radsoft.net/resources/rants/20011102,00.html

How about this? http://rhn.redhat.com/errata/rhel3as-errata-security.html or this http://docs.info.apple.com/article.html?artnum=61798?

:)

re: IIS6 vs Apache2 Security Defects

Michael Howard — Tue, 19 Oct 2004 19:36:00 GMT

Or this http://www.mozilla.org/projects/security/known-vulnerabilities.html

re: IIS6 vs Apache2 Security Defects

stegan demetz — Tue, 19 Oct 2004 20:13:00 GMT

or these just for comparisons sake
SQL Server vs MySQL http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/11/28280.aspx
ASP.NET vs PHP http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/31/10465.aspx

re: IIS6 vs Apache2 Security Defects

ksuh — Tue, 19 Oct 2004 20:53:00 GMT

As long as software is written by organisms that are fallible, then that software will be fallible.

The unproven, repeatly discounted assertion that Software Not By Microsoft is somehow "safer" or "more secure" is a matter of ego, and nothing else.

re: IIS6 vs Apache2 Security Defects

Guy Gervais — Wed, 20 Oct 2004 00:03:00 GMT

- Microsoft has a large market share, hence it is a juicer target.

- Windows used to be "easy to use" (and hack) by default. Only Windows 2003 (and XP SP2 to a lesser extent) are "secure-by-default" (ie, nothing is enabled unless the user enables it.

- It's still much too hard to run non-admin on a Windows box, hence most exploit manage to get a highly privilege account to do mischief with. On other OSes running "root" is the exception, not the rule.

- Windows is a very homegeneous platform; it's a lot easier to find your way around it if you're writing exploit code. FLOSS products tend to be compiled and configured a little differently everywhere (that has other disadvantages, but from a security standpoint it generally makes exploits harder to write)

- With source available, it is possible for someone to patch a bug by himself. Unlikely, maybe and certainly not widespread, but possible. What can you do about unpatched bugs in IE? (http://www.guninski.com/browsers.html) except wait and hope for the best? What if you're still running NT4 because upgrading breaks some legacy applications?

re: IIS6 vs Apache2 Security Defects

Pavel Lebedinsky — Wed, 20 Oct 2004 03:01:00 GMT

> XML for IIS6 is nice, but it still isn't as
> simple as a good old text file.

> The point, and I think that's the same one
> Martin was making is that with text files,
> you can use simple, well-know tools (grep,
> sed, awk, perl... whatever) to process the
> config files.

Personally, I prefer using a simple, well-known tool called "XML parser".

I suspect that 90% of the people who would ever need to programmatically configure IIS6 metabase don't even know what "awk" is.

re: IIS6 vs Apache2 Security Defects

Guy Gervais — Wed, 20 Oct 2004 04:52:00 GMT

http://msdn.microsoft.com/XML/BuildingXML/XMLColumns/default.aspx?pull=/library/en-us/dnexxml/html/xml10202004.asp

From that article's recommendation, I don't see the advantage of using XML for a web server's configuration...

And where's that well-known XML parser on my Windows installation?

re: IIS6 vs Apache2 Security Defects

Guy Gervais — Wed, 20 Oct 2004 05:18:00 GMT

Michael: Those bug lists are nice, but...

...all the worms I remember (CodeRed 1 and 2, Nimda, Sasser, Blaster, etc) are for Windows.

...99% or more of the viruses are for Windows. I know some virus affect the Mac... thru Office for Macintosh.

...Spyware/adware/scumware: Only on Windows.

Don't get me wrong, I like (in a love-hate kind of way) Windows. I use it everyday. I develop software on it.

But I also spend hours cleaning PCs (of friends and family) everytime I go visit. They run anti-virus software and ZoneAlarm and they still get hit time and time again. Lately, I've been removing all shortcuts to MSIE and Outlook and installing Firefox/Thunderbird. Scumware sightings have gone down almost to zero.

It's hard to educate users; Windows almost fights us on it.

Why are extensions hidden by default? It's hard enough explaining that an "executable" can be a .scr, .cmd, .bat, .com, .pif, etc. Without having those hidden. Especially with viruses hiding behind double extensions (image.jpg.exe showing as image.jpg in Outlook)

And now, it's not only executables that users have to worry about. Zip can be corrupted, jpgs have a whole, winamp skins are broken.

Some of those problems are not Microsoft's fault. But having most users running as admin is. That's how scumware installs itself and propagates; it has the run of the PC once it tricks the user on running it.

IIS6 might have a strong codebase, but is it still running as Localsystem? How many other services does it require to be present on the machine to operate? If IIS or any of those other service gets exploited, does the exploiter own the machine?

When I configure Apache on a Linux PC, Apache runs under a very limited account. It might get exploited, but gaining control over it's process won't let you do much on the machine. You can trash the web pages and muck up a few modules, but a patch and a backup restore later, I'm back in business.

IIS 6.0 vs. Apache 2.0

A R G ! ! ! — Wed, 20 Oct 2004 13:08:00 GMT

Uma boa análise sobre as vulnerabilidades já descobertas do IIS 6.0 e do Apache 2.0, quando ambos já completaram 1 ano de vida... http://blogs.msdn.com/michael_howard/archive/2004/10/15/242966.aspx...

re: IIS6 vs Apache2 Security Defects

Ovidiu — Wed, 20 Oct 2004 15:02:00 GMT

Guy: You seem to be a knowledgeable person and overall a smart guy (no pun intended), so please drop the trollish arguments.

"IIS6 might have a strong codebase, but is it still running as Localsystem?" - means you don't know what IIS 6 behaves like and you haven't bothered to check it out.

Also, the magical XML thingie is called MSXML and you can use it, for instance, in .vbs scripts (yeah, Windows can run scripts as well). Besides, for most configuration tasks, you usually have an object model to work against, and you don't have to know anything about the format, syntax or other internals of the actual configurations.

re: IIS6 vs Apache2 Security Defects

Guy Gervais — Wed, 20 Oct 2004 21:40:00 GMT

You're right about IIS6. I haven't tried it and have no intention to. We migrated all our web servers to Apache (both on Linux and Windows) quite a while ago and we currently see no reason to migrate back. I'm not trying to troll; the point I was trying to make is that even with few "holes", if IIS6 is still running as LocalSystem, whoever finally "exploits" it will own the machine. Apache normally runs as a very restricted user and exploiting it doesn't give you much access.

As for them XML vs. text stuff, I simply don't see any advantages to XML for configuration files. I'm sure it works fine and I'd use it if I had to but it adds a unnecessary layer of complexity for a simple task: give parameters to a service.

With Apache's httpd.conf, I can view/edit it with notepad, vi, BBedit or whatever text editor is availble on whatever platform. I can support customers from offsite simply be asking them to send me the file by email. I can check it out on any platform, using any editor I prefer; I can easily add comments to whatever change I make to it. I can leave the old configuration in comments in case I'm trying something out and want to "rollback" later.

I could probably do all that with an IIS6 XML config too (like I said, I never used IIS6 and don't think I will.) but XML parsers aren't as ubiquitous as text editor.

Basically, I don't see what's so great about XML? Maybe someone can show me the light?

And again, I'm not trying to troll. If IIS6 is now the most secure web server on the planet, I'm very happy about that and I hope the effort will propagate to the rest of MS products.

re: IIS6 vs Apache2 Security Defects

Michael Howard — Wed, 20 Oct 2004 21:45:00 GMT

>>IIS6 is still running as LocalSystem
IIS6 absolutely DOES not run user requests as LocalSystem, and by default IIS5 did not either.

re: IIS6 vs Apache2 Security Defects

Guy Gervais — Wed, 20 Oct 2004 22:05:00 GMT

User requests run under the IUSR_XXX account, which is pretty limited (a good thing). But that's not what I'm taking about.

Does the service itself (inetinfo.exe) still run under LocalSystem (sometimes shown as NT_AUTHORITY\SYSTEM)?

*THAT* is the account you get to play with when you buffer overflow the service and "own" it. That's why holes are so devastating on Windows. When you "exploit" inetinfo, the exploit code doesn't run under IUSR_XXX like other user requests; it overflows a buffer somewhere in the inetinfo process and gets control of the execution thread. The exploit code is then running as LocalSystem and truly "owns" the machine, since LocalSystem is above "Administrator" in rights granted.

re: IIS6 vs Apache2 Security Defects

Michael Howard — Wed, 20 Oct 2004 22:08:00 GMT

Inetinfo runs as SYSTEM, but it *NEVER* sees a users requests, it's a management console only. The process which handles user requests, w3wp.exe runs as Network Service. No user code runs in Inetinfo.

re: IIS6 vs Apache2 Security Defects

Guy Gervais — Wed, 20 Oct 2004 23:38:00 GMT

Thanks for the info.

Meanwhile, I also found a detailed and interesting description of IIS6 here: http://www.directionsonmicrosoft.com/sample/DOMIS/update/2002/07jul/0702riawns.htm

It does look much improved from previous versions.

re: IIS6 vs Apache2 Security Defects

Michael Howard — Thu, 21 Oct 2004 04:03:00 GMT

I know the author, Michael Cherry, he worked in the old developer relations group at Microsoft about 6 or so years ago, so he has a pretty good understanding of this stuff!!

Geek Notes 2004-10-21

Geek Noise — Thu, 21 Oct 2004 19:16:00 GMT

re: IIS6 vs Apache2 Security Defects

Richard — Mon, 25 Oct 2004 11:18:00 GMT

I agree that Microsoft is starting to actually pay attention to security with IIS 6. However, this comparison simply isn't fair.

Apache 2 is new. It is an immature product and is less secure because of it.

Compare IIS 6:
http://secunia.com/product/1438/

With Apache 1.3:
http://secunia.com/product/72/

Much fairer comparison. IIS still wins in terms of number of advisories, but numbers like this mean very little on their own.

- The Apache foundation has an interest in making sure its customers know about a security vulnerability as soon as they know about it. Microsoft, on the other hand, has in interest in making sure that it takes as long as possible for the general public to find out about a vulnerability.

- Apache 1.3 has 91% vendor patches. This is very good, compared to 33% vendor patches for IIS.

- Apache has far more non-severe problems than IIS. Over 55% where in the "Less important" category. Compared to 67% in the moderate category for IIS.

- What's more, 100% of the IIS vulnerabilities were remote, compared to 82% for apache

- And, IIS had one unpatched vulnerability, compared to zero for apache.

re: IIS6 vs Apache2 Security Defects

Michael Howard — Mon, 25 Oct 2004 14:48:00 GMT

>>Apache 2 is new. It is an immature product and is less secure because of it

Apache2 is hardly new, and that's a *really bad excuse* for an insecure product. IIS6 is new too, yet it's performing very well, security-wise, and has fewer defects than IIS5.

New stuff should be more secure because it's designed better, with better knowledge of threats and best practice, not get less secure. At Microsoft, we're seeing a trend of newer code having fewer security defects. So from your comment, customers should simply expect more, less secure code from open source. Wow!!

IIS vs. Apache Security Defects

Dennis' blog — Tue, 26 Oct 2004 09:14:00 GMT

IIS vs. Apache Security Defects

Dennis' blog — Tue, 26 Oct 2004 09:15:00 GMT

Full Trust can't be trusted

Coding Horror — Mon, 01 Nov 2004 07:42:00 GMT

Microsoft gets blamed for a lot of security problems, and for the most part, they deserve it. There's no excuse for the irresponsible "on by default" policy that resulted in so many vulnerable Windows 2000 IIS installations. That's why...

re: IIS6 vs Apache2 Security Defects

Ian — Thu, 04 Nov 2004 22:46:00 GMT

I can't believe nobody has mentioned this yet.

GUY - an XML file is a TEXT file. you don't need a parser, you can use vi/notepad to edit it. there's nothing in there that vi won't like - in fact I use vi myself, and edit a ton of xml that way.

I'm not sure what you're developing on windows, but go take a google at some xml resources, its going to be used more and more (its the entire basis for web service for example)

If you look in httpd.config (I think the one I have is from Apache 1.3) its 1/2 xml and 1/2 plain text anyway!

-
<Directory "DRIVELETTER:/Apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
-

XML makes it insanely simple to machine parse tokens, so for option files is way easier than plain text. Below is that half attempt at xml in pure xml.

<Directory location="/Apache/cgi-bin">
</AllowOverride>
</Options>
<Order>allow,deny</Order>
<AllowFrom>all</AllowFrom>
</Directory>

Thats much easier to parse in code,and turn the options in objects or tokens.

But hey - on the bright side you've been nearly using XML and didn't even know - take the extra step and
embrace it fully!

Enjoy the light..

re: Great read on why IIS 6 is a respectable choice for Web Hosting

Dene Schonknecht's WebLog — Fri, 05 Nov 2004 13:23:00 GMT

S?kerkod.se blog » Catching up

TrackBack — Fri, 05 Nov 2004 16:35:00 GMT

S?kerkod.se blog » Catching up

What is Microsoft doing for security?

Office Development, Security, Randomness... — Wed, 17 Aug 2005 05:32:53 GMT

A recent comment on the IE Blog made it pretty apparent that not everybody is aware...

Thoughts on IIS Security vs Apache, Part 3

David Wang — Wed, 08 Mar 2006 13:09:46 GMT

Ok... I'm sure the zealots will eventually come tar and feather me and distort the conversation I started...

O wyzszosci peceta na makiem i Bilu z Microsoftu. - Strona 8 | hilpers

O wyzszosci peceta na makiem i Bilu z Microsoftu. - Strona 8 | hilpers — Fri, 23 Jan 2009 06:56:51 GMT

PingBack from http://www.hilpers.pl/434083-o-wyzszosci-peceta-na-makiem/8