Researchers: IIS problems may not be Microsoft's fault

Computerworld - Independent security researchers agreed that Google Inc. was on the right track yesterday when it claimed that sites running Microsoft Corp.'s Web server are twice as likely to host hacker code as sites that rely on servers operating open-source software.

But they caution against jumping to conclusions.

"The vulnerability of the Web server [software] isn't the whole picture," said Zulfikar Ramzan, a senior principal researcher at Symantec Corp.'s security response group. "The administrator might not have configured it properly, or a third-party package on the server could have been compromised."

According to Google's survey of 70,000 domains actively distributing malware or hosting browser exploits aiming for drive-by attacks, servers using Microsoft's Internet Information Service 5.0 or IIS 6.0 software were more than twice as likely to spew malicious code than servers running open-source Apache. Within the IIS results, 80% of the malware-hosting servers were running the most current version of the software, IIS 6.0.

But because IIS 6.0's security reputation is actually very good -- Danish bug tracker Secunia APS lists just three vulnerabilities since the software's 2003 release, all of which have been patched -- researchers have reached for causes to explain Google's data.

"There are all kinds of different things that could skew the results toward IIS," said Ramzan, who then ticked off everything from administrator error and administrator maliciousness to geographic location and the operating system atop which the software runs. Ramzan also mentioned, as did Google researcher Nagendra Modadugu, that IIS looked to be the server software of choice for attackers based in Asia, especially China. "One speculation is that some of these [IIS] licenses are not legitimate, and so the server's unpatched," Ramzan said.

Microsoft blocks pirated copies of Windows Server 2003 -- atop which IIS runs -- from receiving some security updates and patches, which could leave them vulnerable to attack.

Even more likely is that servers are being compromised, and thus malicious code is added to the system and the Web sites it operates through other applications -- including applications from vendors other than Microsoft, Ramzan said. "I don't think it's due to the specific vulnerabilities in IIS."

Another researcher offered different answers for IIS's malicious code problem. "It may simply be that the overall platform exploitability on Windows is still higher than platforms that are typically being used to run Apache," said Minoo Hamilton, a senior security researcher at nCircle Network Security Inc. Most servers running the Apache HTTP Server rely on Unix as their operating system. "If you can get a remote exploit in some other service on the Web server platform, you can install or host your malware," Hamilton said.