Last week, mass-mailing computer worm Nimda was released into the wild. It combined elements of the Web-based Code Red virus and attacked the same buffer-overflow vulnerability in Microsoft's IIS software. The trend confirms that IIS has become a popular target for hackers, and Gartner is recommending that companies affected by both worms should look at moving their Web applications to a more secure platform.
"Using Internet-exposed IIS Web servers securely has a high cost of ownership," states the Gartner report. "Nimda has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches."
Some antivirus experts are dismissing the Gartner warnings as "knee-jerk" and "unnecessary". Graham Cluley, senior technology consultant at security firm Sophos, is concerned that a mass move to alternative Web server software would cause more disruption than sticking with Microsoft IIS and patching it. "Code Red was less about the vulnerability of IIS, as all software has bugs, but more about system administrators ignoring the warnings that came well in advance of Code Red," said Cluley.
According to Gartner, iPlanet and Apache offer advisable alternatives to Microsoft's server software. "Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers," the report says.
The analysts predict that it might be late next year before the server software is safer for corporations. "Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS."
The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers is usually for their worm to achieve its biggest impact, and so will target platforms that are widely used. "Microsoft is targetted as it is so popular, rather than the system being the least secure," said Cluley.
"There are few viruses for the Macintosh in comparison to the PC, as the hacker will be going for the most popular platform," he pointed out.
Their are 3 times as many Apache servers then there are IIS.
Yet the vulnerability one faces when running IIS is immensely greater then when using auditable open source products.
Well, that 's what you get when you trust MS or any other closed source company.
Good luck trusting MS with your valuable data when .net is faced in.
.net is not going to be any different except that the losses to naive companies are so much greater.