Follow-up on IIS6 and Apache Security

Man, I got a ton of email from all over the place about my last blog entry, and it seemed to fall into four groups:

  1. Perhaps the security work you guys are doing is paying off?!
  2. No way can this be true, you work for Microsoft, so how can you be unbiased?
  3. What about Apache 1.3.x?
  4. Does this include SSL?

Let me answer each in turn.

  1. Yes, I think so, we’re seeing the same trend across other Microsoft products too – but more on that another day.
  2. These are not Microsoft figures; they are maintained by an independent company, Secunia, who track numerous companies.
  3. This needs a section by itself, see below.
  4. This one was interesting, so what about SSL? This needs a whole section by itself too.

First, item (3) Apache 1.3.x.

I wasn’t interested in looking at 1.3 because 2.0 has been out for but some time now (https://www.apacheweek.com/features/ap2) but some think I should, so here are the IIS6 and Apache 1.3.x stats, side by side:

 

While we're at it, here are the IIS5 figures in the same time period:

 

Now that’s out of the way, let’s look at item (4) the SSL story.

Microsoft issued a security update, MS04-011 (https://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx) in Feb04 for Windows, which included a bug fix for Private Comms Technology (PCT). PCT was released just after SSL2 to fix a number of defects in the protocol, these were then fixed in SSL3. PCT also support strong crypto for finanical orgs and was enabled by default on all platforms except Windows Server 2003 and Windows XP SP2. So chances are very good if you’re running a new Windows Server 2003 box, you’re not vulnerable because the code path is not exposed by default. So it’s a low pri bug. That said, let’s call it three security bugs related to IIS6.

Now let’s look at Apache2, plus OpenSSL 0.9.x (will there be an OpenSSL 1.0? It's been 0.9.x since 23-Dec-1998!) because mod_ssl uses OpenSSL:

Remember, these are NOT my figures, these are from third party security company, Secunia.