An F-Secure note about a Mass SQL Injection has put Microsoft's IIS (Internet Information Server) in the firing line, which is a bit unfortunate as it's not particularly insecure.
The attack is serious, and as F-Secure notes: "Performing a Google search results in over 510,000 modified pages." However, this is not the same as 500,000 web servers.
Also, as F-Secure notes, it's actually an "SQL injection attack", not a flaw in IIS. It adds:
We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.
It's not good for Microsoft, clearly, but as far as we can tell at the moment, it's not IIS6 that's at fault. Indeed, it might be better if it were....
For a bit of history, IIS version 5 was affected by several security problems, and Microsoft quickly brought out a rewritten version, IIS6, that has an excellent reputation for stability and security. Anyone still using IIS5 should have stopped using, it in 2003 or soon after, and is asking for any suffering they get. IIS6 is now being replaced with IIS7 in Windows Server 2008.
Secunia provides a pretty good database of programs and their insecurities, and you can look up an index of software listed by product or by vendor. Being practical, it highlights the number of unpatched flaws ahead of the raw number of advisories. So, for example, the record for IIS6x tells you that there have been five Secunia advisories, on which none (0%) remain unpatched. That's one security vulnerabilty per year, and none of them were in the red zone. Swiss cheese?
Here are the numbers for the IIS and Apache Web servers:
Microsoft Internet Information Services (IIS) IIS 7.x 0% (0 of 1 Secunia advisories) IIS 6.x 0% (0 of 5 Secunia advisories) IIS 5.x 6% (1 of 16 Secunia advisories)
Apache 2.2.x 29% (2 of 7 Secunia advisories) Apache 2.0.x 11% (4 of 37 Secunia advisories) Apache 1.3.x 5% (1 of 21 Secunia advisories)
For comparison, here are the Secunia numbers for Apple's QuickTime bugware:
Apple QuickTime 7.x 0% (0 of 18 Secunia advisories) Apple Quicktime 6.x 0% (0 of 7 Secunia advisories) Apple Quicktime 5.x 0% (0 of 4 Secunia advisories) Apple Quicktime 4.x 0% (0 of 2 Secunia advisories)
