1/4 of IIS Servers Infected by Code Red1/4 of IIS Servers Infected by Code Red
Summary imageOver 63 percent of all Internet web servers are running the open-source Apache web server, compared to about 23 percent running Microsoft IIS. Even with 3 times as many copies on the Internet, the last Apache CERT Advisory (serious security vulnerability) was March 20, 1996. IIS has already had seven since January - a quarter of all advisories issued this year!
For those that don't know, Code Red is self-propogating malicious code that attacks Microsoft IIS servers (versions 4 and 5) by exploiting a buffer overflow in the IIS Indexing Service.

How bad is the situation? A new web server put on the Internet will be attacked in less than 15 minutes. You probably won't get the latest IIS patches installed in time to prevent infection. See for yourself. Code Red Vigilante is a small (7KB) Java program that pretends to be a web server, but instead simply logs Code Red attacks and alerts the owner of the server that tried to infect your machine. It was written by a programmer right here in St. Louis. Download it from his web site. It took me less than 30 seconds to download, unzip, and execute the program. I logged my first Code Red attack in about 15 minutes.

The technical details of buffer overflow attacks are rather complex (and boring), so I'll summarize. A program can be divided into two parts - CPU instructions and data. The problem is that instructions and data are just bits and bytes in memory. If the CPU happens across data where it thought instructions were supposed to be it will execute the data. Typically that results in a catastrophic failure of the operating system (Blue Screen for you Windows NT users). This is prevented by having the instructions specify where the data is and how big it is. The memory set aside for this data is a buffer.

You might ask yourself what happens if a program sets aside a buffer big enough to hold 100 characters, then tries to store 150 characters there. In some cases the extra 50 characters fill what would have been empty memory space. Sometimes they overwrite other data. However, sometimes they overwrite CPU instructions. That's what a buffer overflow vulnerability is.

By carefully choosing the data passed to a vulnerable program, sophisticated hackers can cause a computer to execute CPU instructions of their choosing. Unsophisticated hackers can simply crash the machine. Code Red and Code Red II are examples of sophisticated hacks. Code Red II causes your Microsoft IIS server to execute code that opens a new back door to your server. Using this backdoor, anyone can execute any program on your server!

The bad news is that there seems to be a new security threat in some Microsoft software every other week. A trip to the CERT Advisories page shows that IIS and Outlook are security time bombs waiting to destroy your company. CERT Advisories are issued for serious security vulnerabilities in any network or Internet-related software. Serious is defined as allowing unauthorized uploads to a server (defacement) or allowing a hacker to completely take over the machine. I've heard people say that IIS is attacked alot because its the leader. I have two responses:

  • About 23 percent of all web servers are running IIS, compared to over 62 percent running the open-source Apache web server. Even with 3 times as many copies on the Internet, Apache's last CERT Advisory was March 20, 1996! IIS has already had seven this year - that's a quarter of all advisories issued this year!
  • The reason why hackers attack IIS disproportionately is irrelevant. The important thing is that they're succeeding. Until IIS is hardened against such attacks, it's hard to recommend its use. That's why a major insurance company started charging higher premiums for companies running their websites on IIS.

It's time for us to take Internet security seriously. Microsoft has been impressively successful in convincing the public that the security lapses in its software is inherent in the Internet. I've seen journalist refer to e-mail viruses or lump Java in with VBA and ActiveX security problems, even though Outlook is the only e-mail client that's vulnerable to these viruses and the last Java-related CERT Advisory was for Java 1.0.1 in 1996.

I don't begrudge Microsoft the right to spin the outbreaks to minimize their embarrassment. The problem is that Microsoft is purposely promulgating a false view of the inherent security vulnerabilities of Internet software. Because of Microsoft's efforts, the advancement of e-business and e-commerce in general has been impeded. That is what I am unwilling to accept.

So next time someone refers to an e-mail virus or web server worm, set them straight. We can't move forward until the public and corporations understand that the Internet isn't as dangerous as Microsoft would have us believe.
Get more information on the web or by e-mail .
©Copyright 2000 The Hoffler Group, Inc. All rights reserved.
Please contact us with any questions or comments.
This page created Nov 10, 2000 at 8:01 PM