Catch Up Patch Up

Week of September 25, 2001

If you want to make the stone wet you have to spit on it many times.
 - Old Swedish Proverb

In a 'first take' published 19 September 2001, Gartner's John Pescatore again came down hard on the inept Microsoft IIS web server software.

To protect against Nimda, Microsoft recommends installing numerous patches and service packs on virtually every PC and server running IE, IIS Web servers or the Outlook Express e-mail client.

Using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out - almost weekly.

Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache.

Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS.

CNET's Report

The CNET report on the Gartner first take included comments from others in the field.

'Code Red was less about the vulnerability of IIS - as all software has bugs - but more about system administrators ignoring the warnings that came well in advance of Code Red,' says Graham Cluley, senior technology consultant at security firm Sophos (<-- Greek for 'smart' ).

'Microsoft is targeted as it is so popular, rather than the system being the least secure,' Cluley goes on to say. 'There are few viruses for the Macintosh in comparison to the PC, as the hacker will be going for the most popular platform.'

'Gartner's recommendations ignore the fact that security is an industry-wide challenge, and serious vulnerabilities have been found in all server products and platforms,' said Jim Desler, a Microsoft executive. 'IIS is as secure as our competitors' products, and what differentiates Microsoft is our industry-leading response process,' he said.

Cluley Get A Clue

Ok, that's the premise. We can of course immediately dismiss the blather from Microsoft representative Desler as just that - blather - and nothing more. It's propaganda, it's marketing, but it's not high on truth.

And even Cluley's comments are totally 'cluless'. Code Red was not about sysadmins ignoring warnings. True, these sysadmins are as lame as Microsoft is - they all work so wonderfully together as everyone has seen - but Code Red was about the fact, as Gartner points out, that even if you do not ignore the warnings, yea even if you verily specifically heed every last one, you will be left with no time to do your day job. There are tons of advisories to read and tons of fixes and patches to apply and install all the time - and new ones every frikkin week.

And Cluless Cluley is again misleading in claiming IIS is targeted because it is so popular. For IIS is not popular - it just gets the headlines because it's so pathetic and causes such tiresome disruptions of an otherwise smooth running Internet. Perhaps Cluless Cluley should pop on by Netcraft and see just what web server software is in fact running the Internet and with what percentage margins.

Apache - and not IIS - runs the Internet and always has. Apache runs on over sixty percent of the Internet's web servers. Apache is bullet-proof. Apache is free. Ceteris paribus, if hackers want to maximize destruction they should choose Apache to attack, but they do not - they choose IIS, and the reason is way beyond obvious, and all the well paid blathermasters will never be able to change this fact. Ask any hacker you run into why Microsoft is always the target: 'It's like frikkin obvious man!'

Gartner's summary of the status of IIS is spot on - in fact it is even benevolent, for Gartner hold out a note of optimism for Microsoft's ability to someday somehow get their act together, a note which several US government agencies and at least one web site called radsoft.net cannot share.