InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Is it secure? I mean IIS

LAST WEEK I wrote about the latest security weakness found in the new Windows XP operating system. (See "Plug-and-prey fiasco," Jan. 14.) XP is selling in retail channels at a rate that's about one-third less than Windows 98 did at this stage, according to Port Washington, N.Y.-based market-research company NPDTechworld (www.idg.net/crd_idgsearch_781514.html). But thanks to preinstallation on new PCs, about 7 million to 10 million copies of XP (and growing) are now running. That's an awful lot of machines that may become "zombies" in future DoS (denial of service) attacks due to XP's security hole.

In a related development, security expert Steve Gibson recently released a small utility called ID Serve. It allows Web surfers to easily see whether an e-commerce site that's asking for their credit card number is or is not running Microsoft's IIS (Internet Information Server) software.

Last year's worm wars gave Microsoft's Web server product such a bad name among IT professionals that many of them joked that IIS stands for "It Isn't Secure." The Code Red and Nimda worms affected hundreds of thousands of IIS machines at the height of their exploits, and thousands of hacker backdoors remain in place even today.

Server software figures from Netcraft, a research group in Bath, England, reveal serious cracks. "One in 10 of the [IIS] e-commerce and encrypted transactions sites tested by us had backdoors in place to allow external attackers to monitor the systems, or have commands executed on the machines," Netcraft said in November (www.netcraft.com/Survey/index-200110.html). That's after many, many servers had been patched, but by no means all.

Besides reassuring cautious credit card users, ID Serve also allows users to determine the domain name associated with a given IP address. This can help you identify intruders your firewall may have detected. ID Serve and Gibson's descriptions of various IIS problems can be found at www.grc.com/id/idserve.htm.

It's not as if it's impossible to make software that's more secure. Wim Vandeputte, CTO of Custodix.com, a provider of trusted services, notes that the OpenBSD operating system he uses "hasn't suffered from a remote hole in the default install in over four years." In a similar vein, Gibson says, "The last serious remote-code execution vulnerability to hit the Apache Web server was back in 1997. But IIS has them monthly." Knowing that you may need to patch a product next month and again the month after doesn't make you feel as secure as using a product that's well-tested. Partially as a result, Apache server software enjoys twice IIS's market share in Netcraft's latest survey.

Microsoft has some of the world's best developers, but it still pushes some half-baked products.




RELATED SUBJECTS

Security
Operating Systems

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Learn to secure your PCs from new and unknown hacker attacks.
Click here to receive a FREE Success Kit from Oracle.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.
New HP digital projectors — click now for limited-time introductory offers.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.