Follow-up on IIS6 and Apache Security


Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall into four groups:

  1. Perhaps the security work you guys are doing is paying off?!
  2. No way can this be true, you work for Microsoft, so how can you be unbiased?
  3. What about Apache 1.3.x?
  4. Does this include SSL?

Let me answer each in turn.

  1. Yes, I think so, we’re seeing the same trend across other Microsoft products too – but more on that another day.
  2. These are not Microsoft figures; they are maintained by an independent company, Secunia, who track numerous companies.
  3. This needs a section by itself, see below.
  4. This one was interesting, so what about SSL? This needs a whole section by itself too.

First, item (3) Apache 1.3.x.

I wasn’t interested in looking at 1.3 because 2.0 has been out for but some time now (http://www.apacheweek.com/features/ap2) but some think I should, so here are the IIS6 and Apache 1.3.x stats, side by side:

 

While we’re at it, here are the IIS5 figures in the same time period:

 

Now that’s out of the way, let’s look at item (4) the SSL story.

Microsoft issued a security update, MS04-011 (http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx) in Feb04 for Windows, which included a bug fix for Private Comms Technology (PCT). PCT was released just after SSL2 to fix a number of defects in the protocol, these were then fixed in SSL3. PCT also support strong crypto for finanical orgs and was enabled by default on all platforms except Windows Server 2003 and Windows XP SP2. So chances are very good if you’re running a new Windows Server 2003 box, you’re not vulnerable because the code path is not exposed by default. So it’s a low pri bug. That said, let’s call it three security bugs related to IIS6.

Now let’s look at Apache2, plus OpenSSL 0.9.x (will there be an OpenSSL 1.0? It’s been 0.9.x since 23-Dec-1998!) because mod_ssl uses OpenSSL:

Remember, these are NOT my figures, these are from third party security company, Secunia.

Comments (39)

  1. Kevin says:

    >>I got a ton of email from all over the place about my last blog entry…<<

    All those questions reminded me of the same responses from the J2EE community after the MiddleWare Company published the benckmarks on the Pet Store implementation with J2EE and .NET.

    Good job, Michael!

  2. Phil says:

    Whilst those stats do indeed look bad for Apache lets not forget that it’s an open source project with many eyeballs on the code (I’m not saying that there aren’t many MS Eyeballs on IIS’s code). I would expect a large proportion of those vulnerabilities to have been discovered by looking through the code rather than by other nefarious means. However, for a third party to discover a vulnerability in IIS they would have to have done it blind – this is often orders of magnitute harder.

    You also don’t specify the type of advisories. For instance, some of the bugs found in certain tools such as openSSH are very subtle and/or only theoretical, are they those sorts of bugs or your common garden buffer overflow?

    This is the problem with statistics, if someones not bending the truth with them, they’re not going deep enough and end up comparing apples to oranges.

  3. Phil says:

    quoted here verbatim:

    "Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and is therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important."

  4. John says:

    On the very same page from which you took the graphs, secunia asks you not to use the statistics for comparison. Is this a new variant of the "Get the facts" campaign?

  5. David Magda says:

    It seems that the Apache team has some work to do in nailing down the 2.0.x series. Given that Netcraft says that Apache has 2/3 of the public web server market [1], do you have any theories as to why the worms [2] that attacked IIS caused so many network issues, while there are few (if any) major worms against Apache?

    While the number of advisories / possible security issues is not necessarilly an indication of the security of a product, it does show a number of possible vectors for attach. If there are (theoreticaly) more vectors against Apache (and it has more ‘market share’), it’s a bit surprising that it doesn’t have many worms.

    P.S. Would it be possible to have a "preview" button for comment posts?

    [1] http://news.netcraft.com/archives/web_server_survey.html

    [2] http://www.viruslibrary.com/virusinfo/InternetInformationServers(IIS)Worms.htm

  6. Linear says:

    In those graphs I can see Apache fixed much more security holes then MS team that found none. No wonder if you compare number of programmers that can look into both sources. This means MS team left holes to be found by hackers of the world.

  7. Linear says:

    In those graphs I can see Apache fixed much more security holes then MS team that found none. No wonder if you compare number of programmers that can look into both sources. This means MS team left holes to be found by hackers of the world.

  8. Elliott Back says:

    <i>"On the very same page from which you took the graphs, secunia asks you not to use the statistics for comparison."</i>

    But it’s still interesting to make the comparison. That is just Secunia’s own disclaimer, which has little bearing on the data, or the analysis thereof.

  9. ascii says:

    More security updates in Apache can mean that the Apache code is more insecure and should be avoided. But it could also mean that people are actually looking at the code and finding bugs, whereas the bugs in IIS are left to be exploited at a later date. It is also unknown how many security bugs each IIS update fixes since the public does not have access to the code. The number of security updates is a double-edged sword.

  10. Sven says:

    Nowhere do you show how long it took for Apache F. to fix the issues vs. how long it took Microsft. I would like to see those figures as well.

  11. Izak says:

    I’am usu Apache long time with any break (few nonsurceful attack).

    When my frend from work pubic w2k server with ISS and latest patches to internet (same ISP) morning has windows comlete cracked, ISP ask for power down this server because on this IP adres is running DOS attack and absolutly freze their cisco. w2k server mus be reinstall (the server is a demo for customers) and mus be cover by Linux firewall(iptables) with public port for remote login (graphycal terminal services) public on concrete IP adres.

    You have less known bugs, but the bugs is long time witout repair.

    Many hackers known more crytical bugs and in Czech Republic is many good windows hackers (i am unix/Linux hacker)

    And microsoft use OpenSSL too !!!

    use libjpeg zlib and any other GNU lib hystoric buffer overflow.

    Apache is good web server and apache team repair security holes very fast.

    When you need security web server withou many feature only for static web use BOA it is one thread web sever with very big traffic (use in big portal for image server in farm (few oneCPU servers with load ballancing))

  12. Microsoft uses OpenSSL? Do you have a reference?

  13. John says:

    "But it’s still interesting to make the comparison. "

    It’s as interesting as the statistics from "Get the facts" and Slashdot polls.

  14. Dave says:

    "But it’s still interesting to make the comparison. That is just Secunia’s own disclaimer, which has little bearing on the data, or the analysis thereof."

    Really? So you’ll take Secunia’s word for the statistics, but not for the disclaimer, even though the disclaimer disclaims those very same statistics? It must be nice to be capable of such a selective belief system.

    Unless you mean "interesting to make the comparison" in the sense that it’s interesting that so many people are blindly accepting a comparison that is obviously flawed…

  15. Guy Gervais says:

    There was an interesting comment by David Magda about having less worms (none?) attacking Apache, even with many vulnerabilties.

    One factor, I believe, is the heterogeneity of the platforms where Apache runs. Causing a buffer overflow on Apache is certainly possible; but if Apache whas compiled with a different compiler, or different optimization or a different make file; using different modules, your buffer overflow might crash it, but making it "just right" to get control is nearly impossible. That’s one advantage of distributing source instead of binaries.

    With IIS, there are maybe 10 versions out there? It becomes possible (long and tedious, maybe, but still possible) to test your exploit code on those version and tweak it so that it works on most if not all.

    Another mitigating factor is that Apache generally runs as a limited uses (at least on Unix-y platforms) and you can’t always get root privilege from exploiting Apache (or it’s a lot more work) and it’ll only work on 2-3% of the installed base because of the heterogeneous setups.

    Exploit IIS (or most other services) on windows, and you generally get the LocalSystem account which has *more* access than Administrator.

    I hope IIS6 has stopped this tradition, but for IIS4 and 5, I distinctly remember they ran under the localsystem account.

  16. Mo says:

    I could be wrong, but I’ve given to understand that reasonable-sized portions of IIS6 actually run *in-kernel*, whilst running Apache as root (as Guy says) is rare, to say the least.

    To run Apache as root you have to go out of your way to do it – the default configuration drops privileges as soon as sockets are opened, and just about every distribution of any OS which includes Apache sensibly sticks with that.

  17. Dana Epp's ramblings at the Sanctuary says:

    Michael posted an interesting article comparing the defects of IIS6 against those of Apache 2. The results? See for yourself: Michael followed up with a second post, taking care of 4 major comments from people who saw the original post, which included: Perhaps the security work you guys are doing is paying off?! No way can this be true, you work for Microsoft, so how can you be unbiased? What about Apache 1.3.x? Does this include SSL? The first comment makes sense. Since SD3+C has been pushed on campus, we are seeing a lot of postive changes in the attack surface and defect levels of newer product. Thats a good thing. (Go ahead Martha… sue me from jail) The second comment is typical FUD deflection. Secunia is its own company, and not impacted or have research enforced by Microsoft. If anything, sometimes their reports are very critical of Microsoft… as they should be. The third comment is interesting. People want to always compare apples to oranges, not giving a fair comparision. They do this at the OS level all the time. Lets compare the latest of both when doing such analysis. But in case thats not a good enough reason for you, you can look at the difference, comparing against Apache 1.3x: The final comment was about SSL. I was suprised people would want to open this can of worms with all the recent OpenSSL issues. Michael pointed out some interesting stats on that as well. Quoting his view on this: Microsoft issued a security update, MS04-011 (http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx) in Feb04 for Windows, which included a bug fix for Private Comms Technology (PCT). PCT was released just after SSL2 to fix a number of defects in the protocol, these were then fixed in SSL3. PCT also support strong crypto for finanical orgs and was enabled by default on all platforms except Windows Server 2003 and Windows XP SP2. So chances are very good if youre running a new Windows Server 2003 box, youre not vulnerable because the code path is not exposed by default. So its a low pri bug. That said, lets call it three security bugs related to IIS6." Now lets look at Apache2, plus OpenSSL 0.9.x because mod_ssl uses OpenSSL: Some interesting findings. As an Apache fan I don’t like to admit it, but IIS6 has come a long way….

  18. Michael Howard says:

    >>reasonable-sized portions of IIS6 actually run *in-kernel*,

    In kernel, yes, reasonable-size, no. there’s a very small routing stub called https.sys which routes to the appropriate least priv worker process, and that’s it. think tux 🙂

  19. John says:

    Why you only look simple bugs considered as vulnerabilities, while some architectural issues are forcing trade offs to be done. There are bigger issues to tackle with than simple vulnerabilities

  20. Michael Howard says:

    Everyone can voice their opinion! But facts help more than opinion.

  21. John says:

    Everyone can make facts look for their benefit as well. Also, do you really assume that all the bugs found on Windows are made public? And that they are told to Microsoft?

  22. Michael Howard says:

    >>Also, do you really assume that all the bugs found on Windows are made public? And that they are told to Microsoft?

    Ditto the whole industry, including Open Source!

  23. Ted says:

    Hi,

    Seems creating a lengthy discussions. 🙂

    How would you think figures would look, if the security bugs fixed silently by Microsoft would actually be published?

    With Open Source it is harder to fix anything without telling something, which is also an element with creating trust.

    -T

  24. Michael Howard says:

    Read this: http://lwn.net/Articles/64400/

    "Here in the free software world, we had no shortage of security problems in 2003. Vulnerabilities were announced in many packages, including <snip> Needless to say, that is far too many – and it does not count all of the problems which were silently fixed without going though a security alert process. As a community, we have to strive to do better in 2004."

  25. Ted says:

    That is acknowledging that silent fixes happen, but do not tell if they have been actually security problems.

    MS hasn’t done that, MS has fixed security problems silently.

  26. Michael Howard says:

    You bet the open source folks fix security bugs silently! Read the article:

    "it does not count all of the problems which were silently fixed without going though a security alert process"

    What kinds of bugs are "fixed without going though a security alert process"??

    Security bugs!

  27. Ted says:

    Or the bugs are not exploitable and thus not considered to be worthy to go through security alert process?

    Also, as more important point than you constantly not answering to question;

    Why you are trying to point the finger to another direction and not replying to the original point by actually answering to it – MS has fixed exploitable bugs silently which are not told on the advisories? Yes/No?

    Also, Open Source is not just Linux and being a zealot. I am not a Linux user 🙂

  28. By definition, a security bug is exploitable.

    AFAIK, that’s the difference between a security bug and another run-of-the-mill bug – the security bug is a bug that can be exploited to cause security holes.

    Now we can discuss how easy it is to exploit the bug, or whether or not the bug results in a significant vulnerability, but IMHO, if it’s not exploitable, it’s not a security bug.

  29. Michael Howard says:

    re: the question of fixing security bugs outside of security bulletins. Yes, security fixes are also provided in service packs. Usually, all the security updates that were released with a bulletin for a product up until that point are included in the next service pack for that product. We also include any other security fixes that required the significant level of testing that a service pack offers, or had minimal impact to the system.