In an unrelated and unremarkable Slashdot article on the latest IIS security vulnerability which was used to gain complete control over an Army web server, I stumbled across these links:
- Overview of security vulnerabilities in Apache 1.3.
- Overview of security vulnerabilities in Apache 2.0.
That’s a total of 25 security vulnerabilities in 5 years for a program that is, at this very moment, serving 11 million active sites. Many of the vulnerabilities were platform-specific, and some were no more serious than exposing the full pathname of a script under certain non-remotely-controllable conditions. There are no outstanding unfixed vulnerabilities, there have been no new vulnerabilities discovered in almost two months, and you can tell by glancing at a single version number that your copy of Apache is up to date.
Outrageous, isn’t it? You’d think programmers entrusted with 11 million sites would be a little more careful.
(Note: The “C is for Cookie” thing overlaps with the name and home page fields in Safari, making the buttons impossible to click.)
Comment by Aaron Swartz — Monday, March 17, 2003 @ 11:53 pm
unless you use a vendor-supplied apache httpd package, in which case the vendor may have chosen to just add patches to fix security holes without upgrading to later version. (and then there’s the software you may add to apache httpd, like php or mod_ssl or that cool forum application, etc.)
keeping on top of security vulnerabilities can be exhausting business, no matter what platform you choose.
Comment by jim winstead — Monday, March 17, 2003 @ 11:55 pm
Aaron: Safari users can blow me. (Oops, did I say that out loud? What I meant to say is that Safari is beta software, and Dave Hyatt and others are working very hard and making great strides in achieving standards compliance, especially in the realm of CSS rendering, and we appreciate all their hard work, and we’re confident that the next version will fix the problem. And until then, Safari users can blow me.)
Jim: yeah, I know I’m oversimplifying, but IIS has “associated” software too (Index Server, third-party ISAPI extensions, etc). I’d love to see a comparable list of core IIS vulnerabilities, and the severity of each.
Comment by Mark — Tuesday, March 18, 2003 @ 12:14 am
“Safari is beta software, and Dave Hyatt and others are working very hard and making great strides in achieving standards compliance, especially in the realm of CSS rendering”
Having yet to test-drive Safari myself, I was just wondering how far along it actually is at this point? Is it possible to compare its CSS ability to, for example, IE4? IE5? Obviously direct comparisons can’t be drawn as Safari already supports some CSS3 selectors (or so I’m told), but overall, given where its at and where it has to get, do you feel its actually possible for them to crank out something at least as good as IE 6 (if not Mozilla) by 1.0?
Comment by Tdot — Tuesday, March 18, 2003 @ 12:29 am
http://www.macedition.com/cb/resources/macbrowsercsssupport.html
Comment by Mark — Tuesday, March 18, 2003 @ 12:44 am
More on Safari standards compliance:
http://www.mozillazine.org/weblogs/hyatt/archives/2003_02.html#002553
Comment by Mark — Tuesday, March 18, 2003 @ 12:46 am
BTW, I see a problem in Mozilla as well (Version 1.0.1). The text in the ‘Name’ and ‘Home page’ fields is shifted down, so only the top 50% is visible, and the label text on the buttons is shifted down too, so they’re flush with the bottom of the button.
Comment by Michael Bernstein — Tuesday, March 18, 2003 @ 12:53 am
From that MSNBC article :
> Lipner said about 100 employees worked “around the
> clock” last week, and through the weekend, to
> develop an emergency fix.
A 100 people to fix one bug? Isn’t that a bit frightening?
Comment by Jan! — Tuesday, March 18, 2003 @ 6:34 am
In regards to Comment 8, don’t be silly! Can’t you tell that 100+ people working over the weekend to fix a bug means — we take security seriously.
Comment by Jake — Tuesday, March 18, 2003 @ 12:36 pm
Those statistics are a bit misleading aren’t they?
Do a search for apache at the CERT and you might find a few more.
Comment by Ben — Tuesday, March 18, 2003 @ 12:38 pm
No, I don’t think so. I searched CERT (vulnerabilities database only) for “+apache -oracle +title:CERT” to try to weed out most of the crap (responses from individual vendors, stuff that only affects Oracle’s derivative) and came up with 30, of which the first is about JRun and the third is about Tomcat. If you have better searching strategies, I’d love to hear them.
Comment by Mark — Tuesday, March 18, 2003 @ 1:18 pm
This is comparing apples to oranges. A better comparison would be IIS vs. Apache + Tomcat or Apache + Tomcat + Slide (since it was an WebDAV vulnerability.)
Comment by Anonymous — Tuesday, March 18, 2003 @ 4:00 pm
> Can’t you tell that 100+ people working over the
> weekend to fix a bug means — we take security
> seriously.
To me, that looks like more of a panic reaction. (Lemmings, anyone?)
What do you mean by “we”, anyway? Are you part of the IIS programming team?
(And for the record: I am absolutely *not* and anti-Microsoft zealot — those people scare me. Sort of like the idea of a 100 programmers fixing 1 bug scares me. ;-)
Comment by Anonymous — Tuesday, March 18, 2003 @ 5:15 pm
Actually, it’s hard to know exactly what to compare. I would be inclined to compare “that which is installed and enabled by default”. I get the impression from reading the News.com article and the Microsoft security bulletin that WebDAV is installed and enabled by default. (Someone please correct me if I’m wrong here.)
Comment by Mark — Tuesday, March 18, 2003 @ 6:04 pm
>In the computer security world, such secret
>vulnerabilities are called “zero-day exploits.” It’s
>been at least a year since a significant zero-day exploit
>was revealed, said Chris Rouland, director of Internet
>Security Systems’ X-Force research team.
(ponder that statement for a moment…)
On the “C is for Cookie” subject, Mark, is that by chance a reference to the “ABCs of Anarchism” by Negativeland and Chumbawumba where they sample the Cookie Monster (of seseme st fame) singing “C is for Cookie, thats good enough for me…” (in reference to copyright, natch)? Because thats what I found running through my head after seeing it.
Back to the zero-day issue, could somebody send Chris Rouland The Memo or something? Because he clearly didn’t get the memo.
Comment by phyxeld — Tuesday, March 18, 2003 @ 6:36 pm
I would be inclined to compare “that which is installed and enabled by default”.
It’s ridiculous that Microsoft turns on IIS by default - with or without WebDAV enabled (which *is* on by default) so from that perspective I’ll agree.
Comment by Anonymous — Tuesday, March 18, 2003 @ 6:47 pm
“A better comparison would be IIS vs. Apache + Tomcat or Apache + Tomcat + Slide (since it was an WebDAV vulnerability.)”
How do you figure? Apache2 has web dav enabled, and IIS sure as hell isn’t equivalent to apache and tomcat.
Comment by Thom May — Wednesday, March 19, 2003 @ 7:21 am
> A 100 people to fix one bug? Isn’t that a bit frightening?
Testing on the hundreds of thousands of different software and hardware combinations?
> and IIS sure as hell isn’t equivalent to apache and tomcat.
I’d say it is. IIS is pretty much an app server in it’s (braindead) default config. You’ve got your ASP, your ISAPI modules, your links to COM+, plus a lot more if you install the .NET Framework.
WS 2003 rectifies this, shipping IIS in a much more secure default state, and not installing it by default.
Comment by Anonymous — Wednesday, March 19, 2003 @ 8:29 am
I’m sure I’ll get slammed for this, and let me say first that I have no problem believing that Apache is more secure than IIS, but…
I agree with anonymous. Except I’ll sign my name. This *is* like comparing apples to oranges.
Comment by Gina — Wednesday, March 19, 2003 @ 11:00 am
I would say it is more like comparing a popular web server with a very popular web server. Or if you want to use the fruit metaphor a Red Delicious apple and a Granny Smith apple. Both serve the same function but in different ways. One is designed and built with security as the most important while the other seems to make ease of use more important. A compentent sys admin could make either one as secure as possible. But with what seems like everyone with broadband running their own server “right out of the box” and companies cutting costs and making network admins, web developers and whoever else also double as sys admins. I would rather see a default Apache put in place than a default IIS. But hey that’s just my opinion.
Comment by Randy — Wednesday, March 19, 2003 @ 3:27 pm
Aaron,
Mark hasn’t directly said so one way or the other, but I believe he was implying that the Apache group has done a very good job with security.
They are fast to fix bugs, and the bugs they have a few and far between.
Contrast that with Microsoft’s products, which seem to have more bugs than lines of code, some of which have been serious enough to bring the entire Internet to its knees.
Comment by Adam — Wednesday, March 19, 2003 @ 7:10 pm
Why is this even the subject of discussion?
If you care about security and performance, you are running Apache.
If you are more interested in GUI configurability, you are running IIS.
With its history of bringing the internet to its knees on multiple occasion, not even the Gartner Group recommends IIS for serious work (they make no recommendations about non-serious work).
Comment by Jacques Distler — Thursday, March 20, 2003 @ 1:29 pm