IIS6 vs Apache2 Security Defects


A few days ago I decided to look into how IIS6 has faired security-wise since its release well over a year ago. But I didn’t want to use Microsoft figures; I wanted to use other figures. This led me to Secunia.com as they have a very nice Web site tracking vulnerability counts in different products. The reason I wanted to use non-Msft figures is because I wanted to see how IIS6 faired versus Apache 2.0.

So why did I chose Secunia? Well, they don’t issue advisories, they simply reflect the vendor advisories, and in some instances “rumblings in the marketplace.” There is a downside to the site too, as some vendors don’t patch so they may look better on Secunia. However, both Microsoft and Apache have good advisory records, so the data is useful.

Why did I choose IIS6? Because IIS5 was the subject of a good deal of criticism:

Sep 25, 2001. “Gartner Recommends Against Microsoft IIS[5]” http://www.eweek.com/article2/0%2C1759%2C1240915%2C00.asp

The figures are interesting to say the least.

 

By the way, I looked into the two bugs, the one in 2004 is the subject of a KB article, http://support.microsoft.com/?id=834452, and the one in 2003 is very low priv, as it’s admin acces only, requires SSL, and is not installed by default.

Comments (46)

  1. Mike Dimmick says:

    Speaking of SSL, MS04-011 contained issues that impact an SSL web server. The Apache statistics you’ve quoted do include mod_ssl vulnerabilities, so you should really include MS04-011 in your IIS 6.0 statistics if you’re going to compare like with like. Similarly, you just released MS04-030 which affects WebDAV.

    In fact, you probably ought to be comparing against Apache 1.3.x, not 2.0.x. It seems that a large number of sites are still using 1.3.x versions rather than 2.0.x. Netcraft’s surveys don’t break out 2.x versus 1.x – Port80Software’s last survey, of Fortune 1000 companies in June 2004, showed about a 6:1 ratio of 1.3.x to 2.0.x for the versions shown (http://www.port80software.com/surveys/top1000webservers/)

    An administrator still has to consider which services he/she has installed and enabled on a given server. But I will agree that IIS 6.0 is a big improvement on IIS 5.x; Apache 2.0.x seems to have gone in the wrong direction.

  2. Michael Howard says:

    Actually, the stats **don’t** include mod_ssl, nor OpenSSL – this week I’ll add those stats too.

    Also, I wanted to look at IIS6 and Apache2 because they are the latest, and should reflect the state of the art. Also, it’s the default install in many Linux dists.

  3. jake says:

    What about compared to apache 1.3.* which is the version most websites use.

  4. Guy Gervais says:

    Some of the bugs that affect Apache are platform specific (I remember seeing advisories that mentioned linux, but not the Win32 version); comparing to IIS should probably be done only using the win32 Apache version.

    And it could also be a matter of "too little, too late" for Microsoft. Having been burned (badly) by IIS4 and 5; many sites have migrated to Apache/PHP and probably won’t migrate back to IIS/ASP.

    I haven’t tried IIS6 (and have no plan to do so either), but another advantage that became clear with Apache is the ease of administering a server farm of Apache server. Since the configuration files are all text, it’s easy to script changes across 20 or 30 servers. With IIS, we had to go from server to server and reapply the same changes using the UI.

  5. Pavel Lebedinsky says:

    > Since the configuration files are all text, it’s easy to script changes across 20 or 30 servers.

    In IIS6 the metabase can be edited as a text (XML) file.

    > With IIS, we had to go from server to server and reapply the same changes using the UI.

    Ever heard of ADSI?

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/using_adsi_to_configure_iis.asp

  6. Michael Howard says:

    Guy, I had a look at all the security bugs in Apache 2.0.x (http://www.apacheweek.com/features/security-20) and saw a small number that were platform specific:

    2.0.49 CAN-2004-0174 in AIX, Solaris, Tru64

    2.0.44 CVE-2003-0016 in Windows

    2.0.40 CAN-2002-0661 in Windows, OS2, Netware and Cygwin

    Two of them lie within the 2003/2004 timeframe of Secunia’s records, so that means IIS6 had 2 security issues, and Apache had 18.

  7. Shaf Simpson says:

    I help run a web farm of 70 IIS5 + 6 servers – we script all changes to them remotely using VBScript…plus if you were in an environment with even more servers then you should look at AppCenter – it will sync the config of hundreds of servers in one fell swoop.

  8. A comment on this article on Michael Howard’s web log, IIS6 vs Apache2 Security Defects, got me thinking a bit about the differences between the windows way and the "unix way" (for lack of better terms). I’m only sort of…

  9. Martin says:

    Why should I study how to manage a farm of IIS6?

    With text-based config files I can use the tools I like: bash, perl/ruby, etc. to manage ALL SERVICES on ALL SERVERS.

    Don’t care if it’s http, ftp or whatever, I use the same tools all the time.

    And what if with IIS7 the M$ says you should do it changes? Will I have to throw away my tools?

    With text-based config files the principles stay. Why changing things that work?

  10. Randy Wilson says:

    IIS 6, 3 vulnerabilities, 1 patched, 2 still open.

    Apache 2, 22 vulnerabilities, 21 patched, 1 still open.

  11. "Why should I study how to manage a farm of IIS6?"

    At some point you had to learn how to manage an Apache server. That is, if you truly know how.

    Of course, the level of "study" required will very from person to person.

    But as was said above, you can configure the IIS metabase as text as well.

    If text-based and CLI is really important to you, I suggest you check out channel 9’s recent video about Monad – Microsoft’s next-gen command shell (msh). I’ve always liked bash/tcsh, but msh is way beyond those.

  12. Linear says:

    <i> I’ve always liked bash/tcsh, but msh is way beyond those. </i>

    Now, CLI killer is really fun. Shell is powerfull when you have zillions of little cli applications that can work togather. This is case in Linux but not in Win. Shell alone is of no use no metter how "smart" it is. Anyway, I just don’t get it what can be so much improved in shell?

  13. Guy Gervais says:

    Pavel / Brandon:

    XML for IIS6 is nice, but it still isn’t as simple as a good old text file.

    The point, and I think that’s the same one Martin was making is that with text files, you can use simple, well-know tools (grep, sed, awk, perl… whatever) to process the config files. You still have to learn the syntax of the file itself, but you can administer any service using the same techniques and tools.

    While checking out ADSI, I saw that there are 4 different methods that allow you to administer IIS (and I’m not sure what tools work with what version). Will those tools also work with SQL server? With ISA server? Exchange? Third-party vendors…?

    The point, again, is to keep it simple. It’s enough to learn the syntax of the file to configurer the server without having to learn yet another technology-du-jour to configure it.

    Back on topic: If Microsoft is finally "getting" security and putting it first before bells, whistles, doodads and eye-candy; well I, for one am very happy.

    You still have work to do to make us forget this: http://radsoft.net/resources/rants/20011102,00.html

  14. ksuh says:

    As long as software is written by organisms that are fallible, then that software will be fallible.

    The unproven, repeatly discounted assertion that Software Not By Microsoft is somehow "safer" or "more secure" is a matter of ego, and nothing else.

  15. Dana Epp's ramblings at the Sanctuary says:

    Michael posted an interesting article comparing the defects of IIS6 against those of Apache 2. The results? See for yourself: Michael followed up with a second post, taking care of 4 major comments from people who saw the original post, which included: Perhaps the security work you guys are doing is paying off?! No way can this be true, you work for Microsoft, so how can you be unbiased? What about Apache 1.3.x? Does this include SSL? The first comment makes sense. Since SD3+C has been pushed on campus, we are seeing a lot of postive changes in the attack surface and defect levels of newer product. Thats a good thing. (Go ahead Martha… sue me from jail) The second comment is typical FUD deflection. Secunia is its own company, and not impacted or have research enforced by Microsoft. If anything, sometimes their reports are very critical of Microsoft… as they should be. The third comment is interesting. People want to always compare apples to oranges, not giving a fair comparision. They do this at the OS level all the time. Lets compare the latest of both when doing such analysis. But in case thats not a good enough reason for you, you can look at the difference, comparing against Apache 1.3x: The final comment was about SSL. I was suprised people would want to open this can of worms with all the recent OpenSSL issues. Michael pointed out some interesting stats on that as well. Quoting his view on this: Microsoft issued a security update, MS04-011 (http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx) in Feb04 for Windows, which included a bug fix for Private Comms Technology (PCT). PCT was released just after SSL2 to fix a number of defects in the protocol, these were then fixed in SSL3. PCT also support strong crypto for finanical orgs and was enabled by default on all platforms except Windows Server 2003 and Windows XP SP2. So chances are very good if youre running a new Windows Server 2003 box, youre not vulnerable because the code path is not exposed by default. So its a low pri bug. That said, lets call it three security bugs related to IIS6." Now lets look at Apache2, plus OpenSSL 0.9.x because mod_ssl uses OpenSSL: Some interesting findings. As an Apache fan I don’t like to admit it, but IIS6 has come a long way….

  16. Guy Gervais says:

    – Microsoft has a large market share, hence it is a juicer target.

    – Windows used to be "easy to use" (and hack) by default. Only Windows 2003 (and XP SP2 to a lesser extent) are "secure-by-default" (ie, nothing is enabled unless the user enables it.

    – It’s still much too hard to run non-admin on a Windows box, hence most exploit manage to get a highly privilege account to do mischief with. On other OSes running "root" is the exception, not the rule.

    – Windows is a very homegeneous platform; it’s a lot easier to find your way around it if you’re writing exploit code. FLOSS products tend to be compiled and configured a little differently everywhere (that has other disadvantages, but from a security standpoint it generally makes exploits harder to write)

    – With source available, it is possible for someone to patch a bug by himself. Unlikely, maybe and certainly not widespread, but possible. What can you do about unpatched bugs in IE? (http://www.guninski.com/browsers.html) except wait and hope for the best? What if you’re still running NT4 because upgrading breaks some legacy applications?

  17. Pavel Lebedinsky says:

    > XML for IIS6 is nice, but it still isn’t as

    > simple as a good old text file.

    > The point, and I think that’s the same one

    > Martin was making is that with text files,

    > you can use simple, well-know tools (grep,

    > sed, awk, perl… whatever) to process the

    > config files.

    Personally, I prefer using a simple, well-known tool called "XML parser".

    I suspect that 90% of the people who would ever need to programmatically configure IIS6 metabase don’t even know what "awk" is.

  18. Guy Gervais says:

    http://msdn.microsoft.com/XML/BuildingXML/XMLColumns/default.aspx?pull=/library/en-us/dnexxml/html/xml10202004.asp

    From that article’s recommendation, I don’t see the advantage of using XML for a web server’s configuration…

    And where’s that well-known XML parser on my Windows installation?

  19. Guy Gervais says:

    Michael: Those bug lists are nice, but…

    …all the worms I remember (CodeRed 1 and 2, Nimda, Sasser, Blaster, etc) are for Windows.

    …99% or more of the viruses are for Windows. I know some virus affect the Mac… thru Office for Macintosh.

    …Spyware/adware/scumware: Only on Windows.

    Don’t get me wrong, I like (in a love-hate kind of way) Windows. I use it everyday. I develop software on it.

    But I also spend hours cleaning PCs (of friends and family) everytime I go visit. They run anti-virus software and ZoneAlarm and they still get hit time and time again. Lately, I’ve been removing all shortcuts to MSIE and Outlook and installing Firefox/Thunderbird. Scumware sightings have gone down almost to zero.

    It’s hard to educate users; Windows almost fights us on it.

    Why are extensions hidden by default? It’s hard enough explaining that an "executable" can be a .scr, .cmd, .bat, .com, .pif, etc. Without having those hidden. Especially with viruses hiding behind double extensions (image.jpg.exe showing as image.jpg in Outlook)

    And now, it’s not only executables that users have to worry about. Zip can be corrupted, jpgs have a whole, winamp skins are broken.

    Some of those problems are not Microsoft’s fault. But having most users running as admin is. That’s how scumware installs itself and propagates; it has the run of the PC once it tricks the user on running it.

    IIS6 might have a strong codebase, but is it still running as Localsystem? How many other services does it require to be present on the machine to operate? If IIS or any of those other service gets exploited, does the exploiter own the machine?

    When I configure Apache on a Linux PC, Apache runs under a very limited account. It might get exploited, but gaining control over it’s process won’t let you do much on the machine. You can trash the web pages and muck up a few modules, but a patch and a backup restore later, I’m back in business.

  20. Uma boa an&aacute;lise sobre as vulnerabilidades j&aacute; descobertas do IIS 6.0 e do Apache 2.0, quando ambos j&aacute; completaram 1 ano de vida… http://blogs.msdn.com/michael_howard/archive/2004/10/15/242966.aspx

  21. Ovidiu says:

    Guy: You seem to be a knowledgeable person and overall a smart guy (no pun intended), so please drop the trollish arguments.

    "IIS6 might have a strong codebase, but is it still running as Localsystem?" – means you don’t know what IIS 6 behaves like and you haven’t bothered to check it out.

    Also, the magical XML thingie is called MSXML and you can use it, for instance, in .vbs scripts (yeah, Windows can run scripts as well). Besides, for most configuration tasks, you usually have an object model to work against, and you don’t have to know anything about the format, syntax or other internals of the actual configurations.

  22. Guy Gervais says:

    You’re right about IIS6. I haven’t tried it and have no intention to. We migrated all our web servers to Apache (both on Linux and Windows) quite a while ago and we currently see no reason to migrate back. I’m not trying to troll; the point I was trying to make is that even with few "holes", if IIS6 is still running as LocalSystem, whoever finally "exploits" it will own the machine. Apache normally runs as a very restricted user and exploiting it doesn’t give you much access.

    As for them XML vs. text stuff, I simply don’t see any advantages to XML for configuration files. I’m sure it works fine and I’d use it if I had to but it adds a unnecessary layer of complexity for a simple task: give parameters to a service.

    With Apache’s httpd.conf, I can view/edit it with notepad, vi, BBedit or whatever text editor is availble on whatever platform. I can support customers from offsite simply be asking them to send me the file by email. I can check it out on any platform, using any editor I prefer; I can easily add comments to whatever change I make to it. I can leave the old configuration in comments in case I’m trying something out and want to "rollback" later.

    I could probably do all that with an IIS6 XML config too (like I said, I never used IIS6 and don’t think I will.) but XML parsers aren’t as ubiquitous as text editor.

    Basically, I don’t see what’s so great about XML? Maybe someone can show me the light?

    And again, I’m not trying to troll. If IIS6 is now the most secure web server on the planet, I’m very happy about that and I hope the effort will propagate to the rest of MS products.

  23. Michael Howard says:

    >>IIS6 is still running as LocalSystem

    IIS6 absolutely DOES not run user requests as LocalSystem, and by default IIS5 did not either.

  24. Guy Gervais says:

    User requests run under the IUSR_XXX account, which is pretty limited (a good thing). But that’s not what I’m taking about.

    Does the service itself (inetinfo.exe) still run under LocalSystem (sometimes shown as NT_AUTHORITYSYSTEM)?

    *THAT* is the account you get to play with when you buffer overflow the service and "own" it. That’s why holes are so devastating on Windows. When you "exploit" inetinfo, the exploit code doesn’t run under IUSR_XXX like other user requests; it overflows a buffer somewhere in the inetinfo process and gets control of the execution thread. The exploit code is then running as LocalSystem and truly "owns" the machine, since LocalSystem is above "Administrator" in rights granted.

  25. Michael Howard says:

    Inetinfo runs as SYSTEM, but it *NEVER* sees a users requests, it’s a management console only. The process which handles user requests, w3wp.exe runs as Network Service. No user code runs in Inetinfo.

  26. Guy Gervais says:

    Thanks for the info.

    Meanwhile, I also found a detailed and interesting description of IIS6 here: http://www.directionsonmicrosoft.com/sample/DOMIS/update/2002/07jul/0702riawns.htm

    It does look much improved from previous versions.

  27. Michael Howard says:

    I know the author, Michael Cherry, he worked in the old developer relations group at Microsoft about 6 or so years ago, so he has a pretty good understanding of this stuff!!

  28. Richard says:

    I agree that Microsoft is starting to actually pay attention to security with IIS 6. However, this comparison simply isn’t fair.

    Apache 2 is new. It is an immature product and is less secure because of it.

    Compare IIS 6:

    http://secunia.com/product/1438/

    With Apache 1.3:

    http://secunia.com/product/72/

    Much fairer comparison. IIS still wins in terms of number of advisories, but numbers like this mean very little on their own.

    – The Apache foundation has an interest in making sure its customers know about a security vulnerability as soon as they know about it. Microsoft, on the other hand, has in interest in making sure that it takes as long as possible for the general public to find out about a vulnerability.

    – Apache 1.3 has 91% vendor patches. This is very good, compared to 33% vendor patches for IIS.

    – Apache has far more non-severe problems than IIS. Over 55% where in the "Less important" category. Compared to 67% in the moderate category for IIS.

    – What’s more, 100% of the IIS vulnerabilities were remote, compared to 82% for apache

    – And, IIS had one unpatched vulnerability, compared to zero for apache.

  29. Michael Howard says:

    >>Apache 2 is new. It is an immature product and is less secure because of it

    Apache2 is hardly new, and that’s a *really bad excuse* for an insecure product. IIS6 is new too, yet it’s performing very well, security-wise, and has fewer defects than IIS5.

    New stuff should be more secure because it’s designed better, with better knowledge of threats and best practice, not get less secure. At Microsoft, we’re seeing a trend of newer code having fewer security defects. So from your comment, customers should simply expect more, less secure code from open source. Wow!!

  30. Microsoft gets blamed for a lot of security problems, and for the most part, they deserve it. There’s no excuse for the irresponsible "on by default" policy that resulted in so many vulnerable Windows 2000 IIS installations. That’s why…

  31. Ian says:

    I can’t believe nobody has mentioned this yet.

    GUY – an XML file is a TEXT file. you don’t need a parser, you can use vi/notepad to edit it. there’s nothing in there that vi won’t like – in fact I use vi myself, and edit a ton of xml that way.

    I’m not sure what you’re developing on windows, but go take a google at some xml resources, its going to be used more and more (its the entire basis for web service for example)

    If you look in httpd.config (I think the one I have is from Apache 1.3) its 1/2 xml and 1/2 plain text anyway!



    <Directory "DRIVELETTER:/Apache/cgi-bin">

    AllowOverride None

    Options None

    Order allow,deny

    Allow from all

    </Directory>

    XML makes it insanely simple to machine parse tokens, so for option files is way easier than plain text. Below is that half attempt at xml in pure xml.

    <Directory location="/Apache/cgi-bin">

    </AllowOverride>

    </Options>

    <Order>allow,deny</Order>

    <AllowFrom>all</AllowFrom>

    </Directory>

    Thats much easier to parse in code,and turn the options in objects or tokens.

    But hey – on the bright side you’ve been nearly using XML and didn’t even know – take the extra step and

    embrace it fully!

    Enjoy the light..

  32. Anonymous says:

    S?kerkod.se blog &raquo; Catching up

  33. A recent comment on the IE Blog made it pretty apparent that not everybody is aware…

  34. David Wang says:

    Ok… I’m sure the zealots will eventually come tar and feather me and distort the conversation I started…