IIS vs Apache vulnerabilities chart.

Michael Howard just posted this analysis of relative vulnerabilities between IIS6 and Apache 2.0 during the year after their respective releases.

A fascinating post, and it goes to show that maybe we really DO understand what we're doing.

Edit: I make this post, and what does Michael do?  He posts a second set of charts 🙂

Comments (14)

  1. Anonymous says:


    I don’t doubt that MS understands security anymore at the small scale. IIS6 has a pretty good track record (although comparing it to the far-less-used Apache 2.0 rather than the more popular 1.3 seems odd, but no doubt others are already discussing that elsewhere.).

    However, IIS6 is a small product, in real terms. A webserver does not account for much of Windows Server 2003’s footprint, really.

    Why is this important? Because complexity makes security more difficult. Much, much more difficult.

    I really don’t doubt that MS are taking security seriously. But at the same time, I see that Microsoft’s "backoffice" solutions tend to rely on many MS products being used together. When a complete groupware experience requires Win2K3, Exchange Server, SharePoint servers, and maybe more – well, that’s lots of code to secure. MS has the resources to do this, of course – but it’s still worrying for people.

    It’s also a lot of products to configure. Again, MS is making good progress here – Win2K3 comes with some good sensible "turned off by default" security built in. But there’s still going to be room for improvement.

    I’m loathe to compare the MS product range to another OS by name – it only starts flame wars that trolls use to lightly grill their edits on. But the fact is that I can install a couple of different unix distributions from a few floppies. After formatting and installation, that OS is literally just a kernel and not much more – tens of megabytes of disk space used. In complexity terms, you can see how attractive that is. It doesn’t mean it’s immediately more secure, but it’s a lot less to have to manage. An unwanted index server isn’t "not turned on by default" – it wasn’t installed by default. Far better.

    I’m not sure I’ll ever trust Microsoft’s product range to the level you’d like until I see that kind of offering.

    Of course, this highlights the tension that I presume must exist within Microsoft… On the one hand, you want security. On the other, you want a set of dynamic, modular applications that can be plugged together to make a completely seamless platform.

    I’m not convinced that these two desires can ever be totally fulfilled at the same time. It will always be a balancing act, and I suspect that Microsoft tips too far towards the platform side than the security side. The slammer worm was, IIRC, helped massively by applications that had small embedded SQL servers in them – including, ironically, management systems for antivirus programs. Even if the latest version of that code had been secure, would all of those vendors have been using it? Getting vendors to upgrade requires focussing on backwards compatibility as well as security – and thus the complexity increases… *sighs*

    I really don’t doubt that each individual programmer or team now fully understands their security responsibilities, and doing their best. (And the legendary extremes of Microsoft’s recruiting mean that an MS employee’s best is a cut above the average person’s best to start with…) But it takes more than one small part of the "backoffice platform" being secure to convince me that the MS platform is secure. (Even if that small part is a critical one.)

    Not wishing to end on a downer, I’d like to congratulate MS on IIS6 nonetheless. It seems to have proven itself to be fast, stable and secure. Thanks for taking things seriously.

  2. Anonymous says:

    Heh. And as I write my comment, the stats are upgraded to include Apache 1.3 – which further highlights the good job the IIS team did.

    However, they also now include mod_ssl – which inherited bugs from the OpenSSL tools it’s based on.

    Complexity. It’s the bane of security, it really is…

  3. Anonymous says:

    I think the charts should also reflect the seriousness of the vulnerabilities. Opensource products tend to release advisories for everything they find wrong, even if it’s just theoretical. And even if it’s a small vulnerability.

    I’m not saying that was the case, but one has to wonder why did the IIS worms manage to cause such caos and none of the apache vulnerabilities created widespread defacements and invasions.

  4. Anonymous says:

    I think MS has been improving tremendously on security, I have said before on Larry’s Blog and will say it again no one produces perfect code it takes time to get to go secure code. Server 2003 was a nice installation, it only installed what I wanted, nothing else. But as far as security goes between some OS’s SANS just recently released the top 20 securty concerns between Windows and Unix (Unix not Linux). I do not remember last years all exactly but Windows top security vulnerabilities seem to move around all the time showing that things get patched and fixed, Unix seems to always have the same vulnerabilities.


  5. Anonymous says:

    Oh Yeah, and Scoble reminded me of something, just goes to show you no matter how hard you try even if your sole purpose is security, someone will always try to find a way around you. http://www.engadget.com/entry/7796925370303347/

  6. Anonymous says:

    As for Apache 2.0 vs. IIS 6 vulnerabilities reported. I can’t think of a single vulnerability I’ve needed to respond to in my configuration of Apache in that period of time, it’s amazing what you can do with statistics. If one is interested in locking down security of Apache and not just running an out of the box distro (because in all honesty, the configuration from a compile version is MUCH MUCH tighter) there are resources out there like http://www.securityfocus.com/infocus/1786 that will run a version of Apache that is pretty tight. Simplicity seriously reduces the exposure to vulnerabilities. An out of the box Redhat Apache Config is not nessassarily a good comparison. As for the OS bashing in all. I’d like to see the vingtage OS challege put to test. I’d like to see an old core installation of Solaris 2.5.1, a Windows 95, and a OS2 Warp maching put online with no patches, no hardware firewall, and no updates or exteranious software loaded. I’m guessing that unless advertised of the fact, the os2 and the solaris box will remain untouched. I’d fear for the Windows box. So Microsoft finally gets security. Lets fast forward shall we? How about a core installation of Solaris 9, a win3k3, and a mac osX box? Now I’m still willing to bet the Solaris 9 box will remain untouched unless advertised, the win2k3 box will probably fair decently as long as it’s not used by anyone, and the Mac OSX will likely be unscathed for atleast the next few months. But I still don’t put a lot of faith into the Windows box. Far to many ports listening that could do God knows what… Or atleast Microsoft knows what. Final note, in regards to Apache. If my version of apache is ravished by an evil Internet worm, great, I dump the chroot jail, install a fresh one and slap my admin’s for not patching. My Windows box not even running IIS gets hit by some obscure service I didn’t even know existed let alone realise that it’s used to handle remote scripting, a feature I don’t want or need gets exploited and the box is entirely rooted with crap all over the place. And no you don’t need a vintage OS to do that. Windows 2K comes to mind on several occations. Further more, how should I beleive this new revalation of Microsoft getting security actually exists? Microsoft said that Win2K was secure and challange people to hack it. When no one did they admitted success. Fast forward a few years. So what’s Win2K3 going to be like in 2007? hmm… The only way Microsoft will convince me it is more secure is through time tested trials. If their posture improves over the next decade (and yes I feel they are atleast a decade out) then I’ll be convinced to come back to their marketing model. But in the mean time, I’m going with the Open Source model that has what I want in it and works in ways I can understand.

  7. Anonymous says:

    Actually, Jeff – that’s a perfect example for the IE vs the other browsers post – The kryptonite lock was designed against valid keys. They didn’t test it against an invalid key – a bic ballpoint pen.

  8. Anonymous says:

    I was viewing it more as security. Something built with security in mind. But yes you are correct, that is a better example, but still makes you wonder, you know engineers, designers, of that lock had that same pen in their hands probably on a daily basis, from concept to creation, yet the flaw was never discovered until after release.

    P.S. Congrats on the MSDN Magazine article this month. Even though I have read it before 😉 I had to chuckle when a coworker with whom I have told to read the blogs, pointed to it and asked me if I read it yet.

  9. Anonymous says:

    Jeff, when did you read that article?

    Admittedly it’s a riff on stuff I’ve posted before, but…

  10. Anonymous says:

    Hah well I guess your right again, I never read that article word for word ever.

    Just pieces of it here and there in your blog.

    The first paragraph you various sites you go to. No suprise there you mention those sites in your posts before. And your 20 years with MS was another post, along with the super balls.

    Second paragraph where you started working in the industry, another post I think the one where you were talking about your interview, also you have mentioned Carnegie-Mellon from the 4th before, you were a Unix Mainframe kind of guy. The 3rd paragraph is pretty much this post http://blogs.msdn.com/larryosterman/archive/2004/04/09/110488.aspx

    Hmm The mouse paragraph I do not remember you bloggin about. The dev machines, might nit be the same machines, I remember you posting about them before not sure exactly where. The Dehydrated water http://blogs.msdn.com/larryosterman/archive/2004/04/07/109118.aspx

    However with a lot more detail.

    So I guess you are correct I never seen the article as it is printed in its entirety before, I have seen the article and much more.

    Funny how a regular reader of your blog, can glance at another one of your articles and instantly recognise it. I really seriously thought I read it before. I guess you also get to know some of the personalities of your readers by their posts as well. I may not agree with everything you post about but you do make sense.

  11. Anonymous says:

    Oh yeah and when looking back on your blog there was something I forgot about, I Robot, you should see it when it comes out. It follows Asimov’s Laws, however it follows along the Book Robots and Empire where he introduced a 4th law. The 4th law is..

    A robot may not injure humanity, or, through inaction, allow humanity to come to harm

    What is I agree subject to interperetation and while me and another fellow geek were discussing I Robot over beer he pointed out If a robot recognised Hitler for what they were would this law allow that robot to try and prevent that even if it meant the death of Hitler. So anyway you should see it form your own opinion come back here and blog it 😉

  12. Anonymous says:

    Back on topic, Comparing Apache2 to IIS 6 is not at all fair. IIS has reached a point where the codebase contains very little in the way of security holes, because it is now several years old. Apache2 on the other hand is brand new, only a couple of years. And as such it is filled with problems.

    Apache1.3 has a mature codebase that is far more secure. In terms of security vulnerabilities, a comparison between Apache1.3 and IIS 6 would be much more fair.

    Isn’t it interesting how whenever a comparison like this is released, the open source product is always one that would hardly ever be used in the real world by a sysadmin who knows his stuff?

Skip to main content