Servers optimize

Microsoft to blame for Malware hell?


According to an article over at Windows IT Pro, Web servers running Microsoft’s Internet Information Services (IIS) are more than twice as likely to infect vulnerable users with malware than those running the open source Apache server.  The survey has of course been questioned as it was performed by one of Microsoft’s most competent rivals, Google.

Nagendra Modadugu, a member of Google’s anti-malware team explained that in a survey of around 70,000 domains known to be distributing malware; 49% were hosted by IIS servers compared to 23% being hosted by Apache.  This is despite Apache having a 20% market lead over Microsoft with 53% of market share compared to 31% held by Microsoft (it’s interesting to note that between March-Sept 2006 Apache lost a large amount of this market share to Microsoft).

So why are so many Windows servers distributing malware?  Google reports that many IIS installs are on un-licenced/pirated copies of Windows Server, which are unlikely to be kept up to date with the latest security patches; “Our analysis demonstrates how important it is to keep Web servers patched to the latest patch level." Many are sceptical as to whether or not Google's survey projects a true representation of the facts.  Paul Thurrott notes: "I find it interesting that Google used this survey to promote Apache over an Internet product made by its chief competitor."

A Microsoft spokesperson said, "It is difficult to draw any viable conclusions about the security of the Web servers mentioned or what the intended use of a given Web server was in this particular investigation… the administrator's intended use could be to intentionally distribute malware."

54 comments
support
support

Saying Microsoft is to blame for malware because it builds servers is like saying the airlines are to blame for 9/11 because they built the planes.

jackie40d
jackie40d

The stuff loaded into your computer made by MS called a OS is kinda loosely put together and has enough holes in it to look like a spaggetti strainer and then you wonder why people make these ads to push junk onto your computer through the holes in the OS . . Just because they want your info to sell to whom ever You would not drive a car with the door off would you ? Its what people get when they buy MS OS's so people have this habit of clicking on dumb links I know of some of them who do that and why they do not have more wrong is only because I put a good Fire Wall, Anti virus and anti spy ware programs on their computers . .

Neon Samurai
Neon Samurai

To be technically correct in your example; it would be like blaming the airplane manufacturers (boeing for example) not the airlines. This based on the idea that Microsoft is the airplane manufacturer rather than flight service provider. Though, I'd say it's more like blaming the airplane manufacturer (examples; boeing, Mcdonald Douglas) for selling a plane that hadn't been fully flight-tested. The rivets stick out causing drag. The empinage bolts are loose leading to loss of rudder or elevator in some cases. The bolts that hold the wings on the frame tend to loosen under heavy load. Oh, and it has to be landed and restarted every four hours or so else the flight controls lock up on the pilot. (it's fun starting airplane analogies with pilots huh?) Blaming the airline is more like blaming your Sys Admin for the OS needing patches. Your right, the Admin doesn't deserve blame for what was clearly the poor manufacturing quality back at the airplane factory. Anecdotes aside; MS develops an OS where until recently, security was but a distant last priority. We'll see if anything has changed with Vista; it may prove to have more security consideration under the hood at the expense of it's other issues. Consider this; would Malware be a household name today if MS product was hardened better?

jackie40d
jackie40d

If it was not so many holes in the OS the Malware makers would not have had a chance . . so its back to MS with the holes and patches for holes and fixes for other patches an endless procession of fixes till God comes home Me I will go with Linux with some add ins like code weavers and Run windows inside VMware-server piss on ever being the one to run it outside of Linux again . . NOT ME ! I went to the other side LINUX for ever . .

Neon Samurai
Neon Samurai

I'm guessing you got the server registered and running. It was one of those new bits of software that completely changes how I interact with the machine. I was pretty sure you'd find uses for it. (hm.. single notebook with a VM for each Linux distro you support through the store front?)

NiGHtHawK604
NiGHtHawK604

If Micro$oft can post crap and lies about Linux, then why should someone from Google be questioned? As a search engine, Google has never compromised themselves by adding annoying banner ads. Some of the banner companies get compromised and end up giving unsuspecting users an array of trojans and worms. For a capitalist country as the USA, where money is #1, Google has set a high standard on how a business should be run. Truth hurts, doesn't it M$!!!

jackie40d
jackie40d

Like this site there is so much Advertisement its not funny . . But I guess its how they keep if free They Even advertise MS stuff here . . :-)

Neon Samurai
Neon Samurai

From what I understand, they would only be providing the screen space. They go to a marketing company and say; "want to buy four inch by four inch square on every page our viewers see?" It's actually the marketing company that pulls the add image or flash from there own media database through a seemy random function (advert company more accurately?). I think that's probably how it is anyhow. That's basically how the banner add code I wrote years ago worked; Bah, if only I'd realized what I wrote for my employer and started a banner add company before websites really got cluttered.

jackie40d
jackie40d

Your NOT the only one hehehe ( evil Laugh here ) WOW would I fix a few things . . Like telling a person what the day time programmer could do with his . . . And it was the person I was talking to . . DAH ! Oh well it was a Good job for a while . . :-) ! :-)

jackie40d
jackie40d

Then you could open one and have made a ga-zillion dollars . . See and be rich and all that stuff get driven around by the company you own plus have your own Jet . . ;-) NEXT DREAM :-) !

CharlieSpencer
CharlieSpencer

Malware developers are to blame for malware. The developer, author, cracker, script kiddie, whatever. Not the user, not Microsoft, not the ISPs. It's not a crime to leave a window unlocked; it is a crime to crawl in without permission.

Neon Samurai
Neon Samurai

Trust me, I truly wish the average user took more interest in there computer but they don't. Techie types do and understand implications to a further extent but average users see the machine like a car, bike, toaster or any other pointy-clicky kind of thing. Knowingly leaving holes in an OS is more akin to leaving a window open then having an infant crawl or adult leaning on the edge fall through it while your standing there watching. The criminal responsibility is absolutely with the degenerate sub-human that wrote the kiddie tool or exploited it for with malicious intentions. If it where easy to track down such people and break there fingers beyond the ability to write code (or maybe something legally justifiable perhaps) it would have been done already. Since the vagrants who cause our grief are often legally untouchable we have to also look to who provides the bugs that get exploited, so: The negligent responsibility is with the OS or buggy software developer who (and this is the distinction) knowingly puts less than a token nod towards code hardening. In this case though, as with drivers, one has to hold the correct party responsible; MS is not responsible for flaws in Firefox, Mozilla is not responsible for flaws in your network Driver, your NIC vendor is not responsible for flaws in Windows outside of there driver module. That?s my view of the topic anyhow. I?d love the hacker community loosed on malware but vigilantism rarely works like in the movies. I?d love to see local police loosed on malware but there will always be someone willing to take advantage of another person for financial gain. I?ve as much an idea about how to solve the problem as the next person; I can only educate those who are interested in learning a little, gripe about the current state of affairs and get on with my own hobby work.

Ian Thurston
Ian Thurston

I agree, the malware developers are guilty and should be skinned, rubbed in salt, and forced to listen to Celine Dion for weeks (I say this as a Canadian, and apologize to music lovers everywhere.) But first and foremost, let's slap up alongside the head all the users who click through on the spam, open the attachments, and so on and so on and so on. Until they stop doing it, the black hats will continue to make money off our backs.

TG2
TG2

Its a rule a previous manager would explain when anyone would ask why the lock on the petty cash box was so small (think a diary lock from the 70's, not a padlock or master key lock pre-baggage handling laws) So to, this applies to microsoft.. where did they put the lock for the registry? Even now, it is only with 3rd party tools, that we can have at least *some* inkling of when an application goes to write into the registry, rather than keeping all their stuff separated, and unable to be written to any area of the computer that isn't allocated as "temp only". Putting anything inside the registry that becomes dynamically accessed and re-written was what allowed the malware to go places where most humans don't belong. And it was simple enough that microsoft could have stopped auto starting items by requiring the user to acknowledge and understand what editing the registry could do, if done by something they had no clue about.. And even in vista .. they finally applied *some* form of this concept... but when executed, they didn't choose the path that would make most people appreciative ... oh no.. microsoft halts everything until a user land interaction ... how smart was that? Should my word processor be held up, if the modification is coming from a web app? Tagged applications never seemed to enter into this? Oh what is running? Don't know... something called "winword" .. is it registered with any privileges? Is there anything that says, this program should not need to write to the registry after install? Is there anything that says "program X is not allowed to perform ABC functions with D e and F files?" No, and microsoft made a consolidated store, where everything is on the shelves, and everything is free to access, so long as you easily violate permissions.. oh.. but there I've said it.. "violated permissions" ... microsoft says X wasn't allowed .... if that were true, then why did it happen anyway? because microsoft didn't build in the lock, didn't make it even the slightest bit harder for an outsider to come in, see the box, and have them smash and grab, or even in secrecy have an employee slyly tip through the till ... for there was no lock pre vista, and even in vista, their lock proves nothing but stupidity expands... the "action must come from keyboard/mouse interaction" .... but oh yes...voice commands can be allowed, and microsoft forgot that what the speakers can play, he microphone might hear.. Way to go microsoft.. next time why not just give them the scalpel so that when they gut us, at least the cuts will be fast, less painful, and smooth edged...

apotheon
apotheon

The perpetrator is to blame, not the victim (or, in this case, the clothing designer -- going with the "she was askin' fer it" idea that using MS IIS is asking for trouble). Just as one doesn't blame a tube top manufacturer for failing to include a chastity belt with the thing when someone wearing it gets raped, one doesn't blame IIS for malware. Wow, that was a convoluted and stretched analogy. I think it makes sense, though.

schimeck
schimeck

I think you're really reaching with your analogy comparing rapists to malware creators. I'm sure that everyone will agree that the ultimate responsibility for malware rests with the %$#@#$%s who create and distribute the code, but this ignores the issue of responsibility on the part of software vendors who release products into a dangerous world knowing that there are creeps out there who are more than willing to take advantage of security flaws. While virtually any study should be taken with a huge grain of salt, one does have to wonder why, for once, a Microsoft product is not the market leader (in numbers installed), yet is still afflicted with more security issues than other products. A little voice keeps telling me that Microsoft is falling victim to its own strategy of selling sizzle rather than steak! Their products are almost always easier to install and easier to use than the competition's and it may be this very fact that also makes them more vulnerable. This approach to product development may result in developers being more focussed on piling on features and "gold-plating" an application's pretty face rather than spending their time and energy on more mundane and invisible tasks such as making the application relatively bullet-proof. If you like analogies, how about this one - IIS is similar to a car manufacturer who makes a beautiful, high-performance car equipped with a push-button to start the engine and no locks on the doors. While one could still rightfully blame the car thief, or even the stupidity of the customer for buying the car, I think it is fairly clear that at least some of the blame lies with the manufacturer.

jackie40d
jackie40d

I ran circles around people whom had Windows in their machines . . I think it was the OS as it took a lot less Memory to do anything jee what did I have back then think it was a 486 maybe and I had it packed with memory as I knew even back then the more memory it had the better it ran . . And as secure it was what was used for Banks OS systems way back when . . It was only after banks went to MS that a lot of banks got hacked . . Why wouldn't a bank go back to a OS which did not get hacked ? . . Was there some one paying them to use MS ? Maybe the bank robbers hummmmmm ?

schimeck
schimeck

It's funny how people who used OS/2 to any great extent can't help but compare what it could do (at a fairly early stage in its development) to what Windows can do today. I still know support techs who run OS/2 because it can still run a larger protocol stack than Windows! I had a 32-Meg PC running DB2 and all my productivity apps and it performed better than XP with 512 Megs. Go figure! To bring things back to the topic at hand, many of the people who defend Windows religiously simply don't seem aware of the history of computing and don't have the context within which to judge the quality of the code they're running. For example, why is it necessary to repair "broken" shortcuts? OS/2, being an object-oriented OS, "knew" the location of a file if you moved it. This is something Windows still can't do today. As far as I'm concerned, that's unforgiveable. Having the translucent bells and whistles of Vista doesn't make up for the poor underlying plumbing. The only virus I ever encountered on OS/2 was a bug which was intended for a Windows box and it was immediately detected and wiped out by my anti-virus software. I'm not saying that OS/2 was inherently more secure, but it sure seemed that way.

jackie40d
jackie40d

You must be almost as old as I am ( older than dirt ) ;-) was here before God was ! Ran stuff from so long ago jeez People like RICKK will never know as much . . I was always wondering what OS/2 would be like today . . Bet it would have ran circles around windows . . I had voice command long before windows thought of it in Warp 4, I think could type and move from screen to screen ( had to be away from a fan or you got rrrrrrrr between words )

schimeck
schimeck

I'm an old OS/2 user myself - in fact, I was a beta tester for Version 2.0. OS/2 is probably the finest example of great technology losing out to better marketing. Vista still can't do some of the things OS/2 could do ten years ago. Unfortunately, we'll never know whether it was more resistant to malware than Windows is, though it doesn't seem too hard to beat MS' record. I will say one thing for IBM - their vast experience in providing security for mainframe systems has always made them much more aware of the need to build stable, secure systems than Microsoft is. I've always been of the opinion that things scale down much more easily than they scale up. For example DB2 runs on everything from mainframes to PDAs, while dBase never ran on anything bigger than a PC. Similarly, Microsoft is finding out that an approach to application development which works well for an individual PC environment doesn't scale up to enterprise data centres very easily, and that is the biggest challenge they're facing when it comes to security and robustness.

apotheon
apotheon

"[i]I'm sure that everyone will agree that the ultimate responsibility for malware rests with the %$#@#$%s who create and distribute the code, but this ignores the issue of responsibility on the part of software vendors who release products into a dangerous world knowing that there are creeps out there who are more than willing to take advantage of security flaws.[/i]" The blame for malware rests with the people who creat, use, and distribute malware. Microsoft's blame is the point where it pretends its software is secure, while doing everything in its power to hide vulnerabilities from customers rather than fix them to provide actual security. Not the same thing, though. "[i]If you like analogies, how about this one - IIS is similar to a car manufacturer who makes a beautiful, high-performance car equipped with a push-button to start the engine and no locks on the doors. While one could still rightfully blame the car thief, or even the stupidity of the customer for buying the car, I think it is fairly clear that at least some of the blame lies with the manufacturer.[/i]" It's blame for a different, separate act, though. Otherwise, I agree with you.

jackie40d
jackie40d

Seems the old OS/2 which there were a lot of us whom said this is the new OS to follow, as it was rock soild and ran good . . Then IBM dropped it . . Mostly because MS did not want their stuff running on a IBM OS/2 . . To bad so sad I could run all the windows 3.11 on OS/2 and never blink and never crash . . If it had been allowed to run the newer Programs/OS's from MS it would have been the NEW OS to follow ! Oh well , . . Shows how old I must be hahahaha

Neon Samurai
Neon Samurai

That seems to be a very lacking value these days. Even with my previous comment; it's not black and white and the bulk of the fault is found with the purpetrator. All I can say is: A lady buys a steaming hot cup of coffee, pinches it between her legs in the car then sues McDonalds for scalding here. Now all coffeee cups have to be printed with "warning, container may be hot" on them.

Neon Samurai
Neon Samurai

Well, unless VMware get's really crazy and manages to add osX to it's list of supported systems. I read that same article. In short, Apple has a new file system for osX and has also developed a nifty utility that can either painlessly convert a partition to the new osX format without destroying the stored data or (and this is really cool actually) generate two filesystem headers for the same partition of drive space so your NTFS and ZFS both read the same bits on the platter.

jackie40d
jackie40d

I have no pity on the dizzy B whom did that she had less brains then the fly on the wall ! And now back to the GOING TO by Mac . . I read where the new leapord has HPFS for a system now and going to the ZFS with next product out the door ( The old HPFS was from IBM it was the back bone of OS/2 Warp and ran really good ) Even ran the old win 3.11 before Windows 95 Then MS got this wild hair and would not let IBM add it to OS/2 as a way to run things . . Thats where MS started to be weird and started their pile of Patches for stuff as the never finished 95 before 98 Came out there are 9 patches for 98 SE I got them still on a CD as I burnt them there so they did not grow legs or get lost some where . . Then came ME and the next was Win 2000 and NT those were Windows best OS's to date After them its been down hill for MS and the holes and patches increased for stuff they never checked so 90 % of the Malware was made either by them or by web sites for them . .

verd
verd

True or False Guns kill people cars kill people MS is the cause for malware Lets see... I say they are all FALSE People kill people not cars or guns MS does not make malware just for grins man does not cause global warming either anyone need some cheese for their MS whine?

apotheon
apotheon

I think WGA counts as malware, and Microsoft makes that. Otherwise, however, I agree with everything you said.

jackie40d
jackie40d

Vista is like sorta dieing on the vine ! As much as I like picking on Mac this is a good day for them . . http://blogs.zdnet.com/storage/?p=146&tag=nl.e550 Mac is coming out with a OS X for PC's going to make it really hard for Windows to keep up ;-)

Neon Samurai
Neon Samurai

I hear the rumour that Apple is releasing an osX version for non-Apple hardware every year or so it seems. If this is more than just rumour finaly then that would be very interesting to read more about. I've the two Apples at home but it'd be great to put osX into a VM with the rest of my collection.

BALTHOR
BALTHOR

The effects of virus can be studied but the virus themselves can not.Got to go my new Yahoo e-mail sidebar is grossing me out.(ps:Panda has a new beta)

zclayton2
zclayton2

Great! does this quote mean that Malware distributors PREFER miKro$loth products for some reason? A Microsoft spokesperson said, ???It is difficult to draw any viable conclusions about the security of the Web servers mentioned or what the intended use of a given Web server was in this particular investigation??? the administrator???s intended use could be to intentionally distribute malware.??? Seems like a reasonable assumption to me - if caught, it would give the Admin plausible deniability as to culpability - "Gee, The patches didn't install properly."

jackie40d
jackie40d

When you do a patch most of the time you got to shut down or do a simulated shut down like Windows programs do inside Code Weavers inside Linux to get a program to work right and added the Icon to where ever it goes .. So if the simulated shut down did not occur the windows patches would not be in there . . Or in VMware-server it does the same junk simulated shut down its the problem with windows and its inability to do things ;-)

Neon Samurai
Neon Samurai

"Windows has detected that the mouse has moved. shutting down, please wait while windows reboots." (That quote killed me the other day when it popped up out of fortune-mod) Windows has always liked to reboot with any new driver or patch. Sometimes you get lucky and it just needs to log out and back in. Heck, Windows get's upset if not reboot once a week at minimum. Linux X.org modules sometimes require X to be restarted which is similar Windows logout/login after an update. Outside of the GUI, I've never seen Linux need to reboot for anything but a kernel update. I have no problems rebooting an OS when I've just replaced it's core. It is annoying to reboot for every little thing but I wouldn't call that Windows not doing things. In that case it's just doing things differently though probably not in the best method available. It just needs to clear all the crap out of it's memory and reload everything from a fresh boot. What really kills me though is downloading a crapload of patches, having to reboot then finding another load of patches waiting for download. Bah.. Other OS designs get craploads of patches applied on the fly. They also manage it without rebooting and returning "ok, let me get the rest of the patches since some of them are to fix these patches."

apotheon
apotheon

The only time Linux actually requires reboots for updates is when the kernel gets updated. Otherwise, there's always a way to just restart whatever software running on the OS requires the restart without having to shut down the system itself. Of course, with some of the really fundamental software, restarting the software may be equivalent to rebooting the system -- just without affecting the uptime counter and with a quicker turn-around than a true reboot would require.

Mich-a-billy
Mich-a-billy

Defending windows twice in one day. I need to get off here before my Unix friends kill me. If you have a load balanced system, you can shut down one system and not lose the service for a reboot. How server patch are going to work should be planned out in advanced of building your first system. It really doesn't matter which OS you use; because, I have seen (rarely) a unix/linux box require a reboot after an update. I really think this article didn't go deep enough into which versions of IIS and apache were used. Also, I think the system admin and developers of Malware should be held accountable for producing this junk, and lets get on to better ways of secure and running our web servers.

Neon Samurai
Neon Samurai

I do like the way *nix manages hardware and system changes without a reboot. If I find I?m missing a program it?s a two second command to have it downloaded usually appearing in the X program menu right away. Actually, I needed to connect to a Windows box last night; urpmi rdesktop, tada! Oh, wait, the GUI layer; urpmi grdesktop, tada! And gRdesktop appears in my program menu, a moment later I?m looking at a remote full screen Windows desktop. I?m in the process of growing my latest system rebuild so there?s been a lot of realizing I need a program ten seconds before it?s installed. I have a few things I need Windows for at home but I?m now 95% native boot to Linux. Games will be a Windows thing for the near future and I?ve still a PalmOS/Outlook/Cellphone combination to keep synchronized. Oh well, next step is to move the Palm/Outlook/Cellphone combination to a VM or maybe convert my notebook for a dedicated communications box when I can afford to replace it. I?d also like to find a good replacement for Media Monkey; Amarok is great but it does not seem to do catalogue management (create/organize folders/files by audio file metadata). Now, video is a place that FOSS is still lacking. It?s ironic with the amount of FOSS that Hollywood runs its proprietary editing software on but that?s the way it is right now. There have been a few good articles recently on newsforge.com about editing though. Blender3D is more for animation but hopefully soon you can move your video editing to an editing dedicated liveCD distribution (like the music or HAM distros recently released). Heck, some of the other readers may even have FOSS video software to recommend in the same class as Final Cut Pro or Adobe?s offerings. I?ve actually found Soundforge to be good for video since it manages editing the same way it handles an audio file except with a row added to show the frames above the two stereo audio lines; that?s still win32 software though.

jackie40d
jackie40d

I install program or a hardware item and windows wants to re boot even patches for stupid things . . the 20 some odd patches past SP4 it wanted to re boot oh about 12 times I think half the patches were for windows apps not the system kernel re done . . I plug in something to Linux and it says just a sec and loads what ever it was into the system and runs with it . . Yeah thats right windows LOVES to reboot when EVER it gets a chance . . :-) Its why I want to be gone from Windows in the next 2 months . . Only to run some stuff inside Code Weavers and then to get some stuff running which Linux sees but does not know how to use them I will have VMware-server loaded and run Win 2K for those items only oops got to load Pinnacle Studio 9.4 so I can edit movies for people put in titles and menus and all that junk so it looks fancy and makes money for me . . I got some movies up on YouTube links on my site http://www.lynns-store.com Links to movies are on the left hand side and down a bit . . I made the site with a few oldie programs and 1 new one so [b]ANY 1 can see it[/b] had to add a tiny bit of Flash just to get people there . . and demonstrate web site making abilities . .

jackie40d
jackie40d

This sounds like a MS Flame topic but sounds about right as I know when I get stuff as the Browser says it blocked a what ever . .Oh I got the new BETA Safari from APPLE today and trying it out might be ok will know in a day . .

Justin Fielding
Justin Fielding

That's a lot of parked domains. It would certainly help to explain that huge shift in 2006. I've not tried the Windows release of Safari yet (seeing as I run it natively). How is it?

jackie40d
jackie40d

But its a bit slow .. Waitting for the new Mac OS for PC's to hit the market haha THAT I will BUY ! As far as Windows naw I will wait for the prices to drop even more . . Then I will get XP but SP3 has to come out first so 80 % of the holes are fixed

Dumphrey
Dumphrey

you a lot o cash that XP SP3, if there is one, will be 90% DRM and WGA, and 10% security....Why would they release a major fix for an OS they desperately want to ditch in favor of the back-doored, DRM flooded beast they sold to Buisness interests? And with displayport coming soon on monitors, HD content will finally be "allowed" on computers...(all those HD cards sold up until now are almost worthless, they will never be able to output HD content on an MS system.)

ccolht
ccolht

MS pushes their dynamic web capabilities, enabling alot by default, leaving them more vunerable to attacks. Many Apache sites are only used for static content so have fewer exploitable services. This is changing as more and more php, rails and other dynamic systems get deployed. But these need to be turned on in recent versions of Apache so the hole isn't there until the admin/developer opens it. That same rule applies to IIS of course. We need to be more diligent in configuration and administration. ISPs should scan customers's sites for malware (no further than a normal web surfer.) Many sites out there haven't been updated in years. So what's the chance that the server is up to date?

blarman
blarman

I run Apache with Oracle's Applications Express. There is NOTHING static about that content - the web pages are entirely dynamically drawn with data taken straight from my database. Apache also comes out-of-the-box now with PHP and Perl extensions ready to go. You can enable Python or Cold Fusion as well with a few steps. These are dynamic scripting languages every bit as powerful as ASP. You are drawing a VERY poor characterization based on something you know little about in defense of a particular platform. In the future, I would suggest doing a little more homework and playing less with fire. You might get torched. Again.

Mich-a-billy
Mich-a-billy

Personally, I would not assume that "Much of Apache's server content is static" Perl, CGI, php, and coldfusion have been around for a while now, and apache runs this languages easily. Normally, I will be the last person do defend Micro$oft, but can we really blame them for what other people do with their product? If IIS and Apache weren't around, then they would be using other web servers to pass malware. If you are going to assign blame, blame the developers and server admins who publish the malware. Or the server admin who allows this to be ran on his server.

TechExec2
TechExec2

. The world's largest domain registrar, GoDaddy.com, moved its 4.5 MILLION parked domains from Linux+Apache to Windows+IIS in March 2006 (1). That's why it appears Apache lost ground to IIS. Just like the rest of the Web, the vast majority of GoDaddy web servers that actually serve real websites run Linux+Apache (2). [i]"...Our business is based on providing the best possible service at the lowest possible price. This strategy requires us to maximize all of our resources, particularly our technology assets. It was clear from all of the testing we?ve conducted that Microsoft provides an efficient and scalable operating platform, while also providing the performance needed to handle our extraordinary growth..."[/i] --- Warren Adelman, GoDaddy.com president and COO. Why are some executives so completely full of sh*t? :^0 Translation: GoDaddy got a big donation from Microsoft. Way to Go...Daddy! I hear that Microsoft Windows+IIS is an EXCELLENT platform for completely inactive websites! :^0 ------------------------------------ (1) GoDaddy.com to Migrate Entire Hostname Portfolio Onto Microsoft Solution for Windows-Based Hosting http://www.microsoft.com/presspass/press/2006/mar06/03-21GoDaddyPR.mspx (2) How big was Go Daddy's move from Linux to Windows? http://business.newsforge.com/article.pl?sid=06/04/20/1652228&tid=37

Jerry M. Gartner
Jerry M. Gartner

IIS, of late, has most services turned off by default, requiring admins to enable them. MS started doing this with the 2003 releases of their products. I think there's more to it though. See http://www.gartnerwebdev.com/2007/06/11/why-so-many-microsoft-vulerabilities/ if your interested in my opinion on MS vulnerabilities and exploits in general.

Neon Samurai
Neon Samurai

Market Share The myth that MS is a bigger target so it is banged on more resulting in more exploits are discovered and reported. This is based on the misconstrued idea that being secret means being secure; security through obscurity. This security model has been proven flawed far as I understand. - MS products do not have the majority of the server market yet still show the majority of vulnerabilities based on severity and time between discovery and patch release. If this myth where true, we?d have a long list of vulnerabilities for BSD, Linux and any other Apache supporting platform. - Cracker scum (blackhats if you must use a ?hat? buzzword) target what it is they need to get past for there goal. These days, it?s organized crime funded professional criminals not curious high school students playing with a new technology. If they need a file off a server they are going to focus on what that server is running. Home user identity theft and fraud and botnets, sure, your targeting home users so you target what is likely to be on the home machine. Also, while some will be motivated by ?picking on the biggest kid in the playground, this is a rather petty motivation for something that now carries real jail time. ?This attack is most effective when many many machines are part of the incoming flood. For maximum effect, the natural choice of machines to infect would again be Microsoft products.? You?re talking about DDoS attacks here. So, if MS developed there OS to be more secured then Windows OS would not be the Swiss cheese platform most easily accepting of Trojans or other illicit remote control software? I?m with you there, if MS hardens the next version of Vista properly a lot of the end user?s grief goes away but the last time they tried to do that with any real effect, all the AV companies went to court. Development Model This is the bit contrasting closed and proprietary development methods to open source development methods. I think I agree mostly with this. Closed development is motivated by profit margins primarily. Limited developer teams must meet marketing mandated deadlines while focusing on priorities to remain within budget. Ongoing product development is funded out of the initial sale and ongoing service contracts. When the initial sales drop off then it comes time to develop the ?new version? and start the sales and support cycle over. Last, all secrets are kept ?in the family? so code is only for the family eyes and software bugs are not to be admitted too lest the family look bad to the outsiders. Here the program *is* the product and anything that goes not contribute directly to the profits is not worth considering. Open development is motivated by product quality and functions. The ?currency? is the ongoing use and evolution of the program so that is most important. A possible developer team of millions of self motivated people get access to the source code then start submitting patches and further features back to the project lead. Bugs can be spotted by anyone and are reports are welcomed rather than hushed-up by lawyers (I?m looking at you Apple). ?Release early and often? is the rule. You don?t generally get ?new versions? that are a complete step away from the old version since they both develop out of ongoing evolution from the version previous. Here the service *is* the product and the program is the freely available tool. Closed and proprietary is focused on owner or shareholder equity and what is best for the businesses ongoing hunger for dollars. Software patches are limited by team availability and budgets. Open Source is focused on the end user and quality of program provided to them. Software patches for an active project are limited only by bug reports. People Love to Hate Microsoft The section title says it all. People love to hate the big dog. I?ll agree that some of the ?bill bashing? happens purely out of the love to hate MS but not the amount that you indicate. When you talking about the IT community though, you?re talking about people with historical and technical knowledge about MS. MS product quality and business practices have historically been shoddy and shady at best. MS business strategy speaks for itself and until Vista, hardening the OS has been a distant afterthought for MS versus providing something pretty enough to sell. The IT community that hate MS do so because 30 years of development and ?innovation? continues to provide the same crap designed to sell on the mass market rather than work best for the end user; again, what?s best for the shareholder?s equity and RIAA rather than what?s best for the customer. I suspect much of the Cracking of MS products started with technically intelligent people providing MS with proof of concept since simply reporting the found bug wasn?t enough; ?yeah but you?re a security researcher from outside our family, we?ll have to wait until a family member confirms your story. Oh, and if you tell anyone that we?ve a scratch in our paint, we?ll sue you into oblivion.? Yes, if you measure a company?s success by annual profit and units shipped out of the warehouse; MS wins without contest. They have the highest market share, highest piece of the annual profits pie and highest number of unit shipped; if you forget to account for the number of consignment units not actually chosen by customers or returned that is. Financial measurements are not indicator of technical merits though. IT has a long history of dumping the technically superior solution in favor of the better marketed but inferior one. Financial measurements only confirm that MS is the richest company in IT. Again, finances are of interest to the shareholders rather than the customers. With this kind of financial performance, MS should be putting a whole lot more budget into quality and they just don?t seem to be doing so. If you measure a company?s success by the quality of product it produces through technical metrics instead of economic metrics, you get a very different picture. MS quality is not good. I?m not saying they have software bugs so shame on them, I?m saying it?s fundamentally not good. With MS bank accounts and all these bug reports from people targeting MS specifically, shouldn?t they have a rock solid system like, say, BSD; which has actually hardened in it?s 30+ years of development. The hate MS receives has been earned through its own product quality and business practices. It?s pretty easy to tell between who hates MS because it?s the cool thing to do and who hates MS because they know more than the MS marketing slogans. They got lucky in the early days of home computing and rode the market without really having to compete through product quality. The Reality I think your propagating a few myths in your article. Primarily that MS has more bug reports than other software platforms purely because it?s the big dog that everyone love?s to kick and that hate towards MS is only from individuals who only hat MS for being large and successful. If the bigger target is what makes MS show more vulnerability then why does Linux/BSD not show higher vulnerabilities in the server market where MS is not the majority? I propose that *nix based systems are getting kicked just has hard and often as home user systems but not as successfully. The Unix security model seems to be holding up just fine as the ?big target? while MS doesn?t look so good after a test kicking. If 54% or more of the servers connected to the biggest network no earth are holding up just fine then MS doesn?t get to claim that there problems are anything but poor craftsmanship. If everyone who hates MS does so purely because MS is the top dog then how is there any technical basis for discussion? I?ve seen the postings ?MS is evil because they have all the money? and discount them but it?s hard not to consider a page of points from someone with the technical knowledge to look past the pretty GUI theme and question how the engine parts are working. It?s also hard to feel any love for MS with the history of its behavior. Maybe it?s not out to screw Novell in response to a technically superior threat but history has demonstrated that very few ?partners? ever get away from MS uninjured. Last, as for the Bill bashing, it depends on context. Bill the founder of MS who used a brilliant strategy mind to monopolize an industry; flame on. His billions are at the expense of others and often at the expense of a better technology either through business practices our outright theft. The info security industry alone owns itself to MS product quality control. Bill the philanthropic billionaire who now walks around the world throwing money at problems; sincerely the best of luck. If all he did was throw money at problems, the difference will be felt globally. If he focuses that brilliant strategy mind on humanitarian goals rather than business goals, there?s a whole lot more he may accomplish. (posted to your article directly also)

STumilty
STumilty

I agree that MS is "bullying" but it is a business and it's a dog eat dog world when it comes to making money. I don't like the way MS have become what they are today, but I must commend Bill Gates on establishing such a 'successful' business. And I feel that there are a lot of small minded people out there that can not see how good of a business man Bill Gates was and is. looking at the market I would have to say for the desktop end user environment Windows is the best. Linux still needs to become less of a "geek" OS before it can compete big time with MS. And why can't MS try and sell Linux components that are theirs(and I use that term loosely)? Unlike GNU, MS is there to make money. And in todays society, you need money.

apontel
apontel

Techies hate Microsoft not mere mortals, the reason Microsoft is hated is because they are greedy. There is no real reason for their Licensing structure other then they can. What was the original cost of connecting to the first Arpanet machines? Microsoft is buying the White house, to avoid law suits and to take out open source. Greed In January Microsoft was caught buying Bloggers (Maybe Samurai has a new laptop) with laptops to speed up their evaluation of Vista. I hope the Acers had six partitions for each variant of Vista ! Greed Microsoft?s team of top dog lawyers is busy as we zpeek making other companies pay for Linux components they say are theirs. Maybe you can not patent some thing that was already their. Greed Richard Matthew Stallman launched the GNU Project to create a free Unix-like operating system; he also developed the original Emacs, the GNU C Compiler, and the GNU Debugger the year was 1983 Microsoft releases Microsoft Windows, originally a graphical extension for its MS-DOS operating system the year is 1985. Pay attention many top dogs are admired and loved by the dog pound, your Microsoft is top school yard bully, argument is missing a component, bullying is why people hate bullies

Neon Samurai
Neon Samurai

I do feel a little dribble of blood run out my ear when I hear someone refered to as a hat colour when not meaning one who works for Red Hat but it is preferable too the media spun Hacker bastardization. I can't fault you on that by any means. Your lack of misusing "hacker" in the article was noticed. Perhaps it's just my own pet peeve to piss into the wind about. I try to keep it to myself but sometimes I just have to chime in. I won't ever change the world's general meaning of the word but I'm sure I'll continue to point it out. When I tossed the term back and forth with my wife, she said; "what? Oh; nerd-noise. Did you take the garbage out already?" (She has no interest in tech toys or topics.)

Jerry M. Gartner
Jerry M. Gartner

My wife and I discussed the merits of cracker v hacker v black hat. Most people outside of our profession have no idea what a cracker is in the context of IT security. The media propagates hacker, which we all know is a good program, a good programmer (i.e. that guy is a hell of a PERL hack), or one of those guys who stays up in to the wee hours trying to get mailgraph to output graphs just so - not a cracker. I settled on black hat so as not to be responsible for continuing the mis-information of the masses while not having to delve into the distinctions of our jargon. (a digression of laymen oriented information, in my opinion). Too, I posted your comment in it's entirety on the site as I appreciate good input.

Neon Samurai
Neon Samurai

I wasn't actually looking for yet another TR forum fight and am glad to see that my mouth didn't walk me square into one. It's really just the "MS is the target because they are biggest" and "people hate MS because it's successful" empty arguments tend to get on the nerves. It would be interesting to see what MS could really do with its resources based on customer motivated development. As you point out, a business bound by corporate law is not going to change unless product quality directly affects the bottom line. For Microsoft, it doesn?t currently in a way that they are motivated to address. On the other side, all those MS haters with development skills are acting by intent or accident in the best interest of Windows users. Either FOSS replaces Windows with a competitive product providing more benefits to the end user or MS get?s scared enough to compete on product quality providing more benefits to the end user. Of course, this would be easier if every end user was a techie but that?s not reality so marketing prevails over education. Very true; while any Script Kiddie can ?pwn? there friend?s ?puter?, the person who can walk into a BSD terminal unstopped is the one who?s a real threat. Luckily, people who can do that are generally motivated by other more productive pursuits within geekdom. The one?s who are motivated by malicious intent are referred to as Crackers (in both derogatory meanings of the term); the pond scum of geekdom that we?re always confused with. It?s never the loud person doing the posturing that you have to worry about, it?s the quiet person at the back of the crowd that does not need to advertise there skill.

Jerry M. Gartner
Jerry M. Gartner

I do agree that Microsoft?s security issues are not solely the result of being the ?big dog?, but rather because of their fundamentally flawed development/business model. Note that development and business go together in the case of Microsoft, and therein lies the problem. Until solid code is seen as good business, we likely can expect more of the same. Too, it?s human nature to pick on the weak, no matter how big they are. In reference to security by obscurity, I consider a person who can get into a BSD box unauthorized to be more of a threat than script kiddies that download their ?skills? from a cracking site. Also, keep in mind that the site that the article is published on is written for small business folks who like buzzwords :)