MS targets Linux, Mac rivals with IIS astroturf

'Vulnerabilities also exist elsewhere' Really?


When we revealed the delightful bulletin yesterday that Microsoft has sent its salesforce, defending its Internet Information Server (IIS), we rather deviously kept one section under wraps.

It's a list of vulnerabilities in rival products, apparently listed because "switching from IIS to another platform does not eliminate security vulnerabilities or virus problems nor will it eliminate the need to remain vigilant," as the crib-sheet puts it.

We'd actually love to see an Internet server that does eliminate the need to be vigilant (wouldn't that be great?), but we doubt that it's a claim made by any of IIS' rivals. And surely that's not the point that Gartner's John Pescatore was making either, in his recommendation that companies abandon IIS. He was pointing out that the rivals require less maintenance to achieve acceptable levels of security, and present a lower risk.

But here's the list, and pay close attention. There'll be a test in a minute:

Apache - Windows Equivalent, Core IIS Services


  • 2001-07-10: Apache Possible Directory Index Disclosure Vulnerability
  • 2001-07-02: Apache Tomcat Cross-Site Scripting Vulnerability
  • 2001-06-10: MacOS X Client Apache File Protection Bypass Vulnerability
  • 2001-04-12: Apache Web Server HTTP Request Denial of Service Vulnerability
  • 2001-03-28: Apache Tomcat 3.0 Directory Traversal Vulnerability
  • 2001-03-28: Multiple Vendor URL JSP Request Source Code Disclosure Vulnerability
  • 2001-03-13: Apache Artificially Long Slash Path Directory Listing Vulnerability

PHP - Windows Equivalent to ASP.DLL
  • 2001-06-30: PHP SafeMode Arbitrary File Execution Vulnerability
  • 2001-01-16: PHP .htaccess Attribute Transfer Vulnerability
  • 2001-01-12: PHP Engine Disable Source Viewing Vulnerability

PHPMyAdmin - Web Interface for managing MySQL

  • 2001-07-02: phpMyAdmin Included File Arbitrary Command Execution Vulnerability
  • 2001-04-23: PHPMyAdmin File Inclusion Arbitrary Command Execution Vulnerability


Now, then. We wondered how long it would be our mailbox started filling up with concerned readers citing any of the above?

Not very long.

"To be quite honest," writes Charles Astwood, "I am not convinced by Gartner's arguments."

He continues:

"Running an older version of Apache than 1.3.19 (I think released on 28th February 2001) has a vulnerability where the web server may display a directory listing when it should display an error message."

Really? What else?

"More severe problems become apparent when dynamic media, as used on more and more web pages these days, is used. These require modules to be added to Apache and it is these that are exploitable. Some modules in the past that have been exploitable are Apache with PHP3 on the Windows platform and Tomcat on Unix."

In total, we're three-quarters of the way to collecting the full set, from various concerned correspondents, and were whimsically thinking of trading them with you. Can you swap us a Mac OS X vulnerability for a couple of PHP Engine Disable Source Viewing Vulnerabilities? We've lots of those... But most correspondents point out the first two on the list. And almost all such letters continue the theme: "It doesn't matter what system you are running, if you don't keep up to date you will be hit."

Microsoft surely gave an honest answer yesterday, by tacitly accepting that IIS has a unique problem (or combination of problems), that they recognize it, and are taking steps to fix it with a rewrite. But we fear that this kind of Astroturf will continue for a while yet. ®

Related Stories

MS vows rewritten IIS, more patches
Ditch Microsoft IIS now, says Gartner


Other stories you might like

  • Intel to sell Massachusetts R&D site, once home to its only New England fab
    End of another era as former DEC facility faces demolition

    As Intel gets ready to build fabs in Arizona and Ohio, the x86 giant is planning to offload a 149-acre historic research and development site in Massachusetts that was once home to the company's only chip manufacturing plant in New England.

    An Intel spokesperson confirmed on Wednesday to The Register it plans to sell the property. The company expects to transfer the site to a new owner, a real-estate developer, next summer, whereupon it'll be torn down completely.

    The site is located at 75 Reed Rd in Hudson, Massachusetts, between Boston and Worcester. It has been home to more than 800 R&D employees, according to Intel. The spokesperson told us the US giant will move its Hudson employees to a facility it's leasing in Harvard, Massachusetts, about 13 miles away.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Arrogant, subtle, entitled: 'Toxic' open source GitHub discussions examined
    Developer interactions sometimes contain their own kind of poison

    Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.

    Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.

    It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.

    Continue reading
  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • How can we make the VC world less pale and male, Congress wonders
    'Combating tech bro culture' on the agenda this week for US House committee

    A US congressional hearing on "combating tech bro culture" in the venture capital world is will take place this week, with some of the biggest names in startup funding under the spotlight.

    The House Financial Services Committee's Task Force on Financial Technology is scheduled to meet on Thursday. FSC majority staff said in a memo [PDF] the hearing will focus on how VCs have failed to invest in, say, fintech companies founded by women and people of color. 

    We're told Sallie Krawcheck, CEO and cofounder of Ellevest; Marceau Michel, founder of Black Founders Matter; Abbey Wemimo, cofounder and co-CEO of Esusu; and Maryam Haque, executive director of Venture Forward have at least been invited to speak at the meeting.

    Continue reading
  • DataStax launches streaming data platform with backward support for JMS
    Or move to Apache Pulsar for efficiency gains, says NoSQL vendor

    DataStax, the database company built around open-source wide-column Apache Cassandra, has launched a streaming platform as a service with backwards compatibility for messaging standards JMS, MQ, and Kafka.

    The fully managed messaging and event streaming service, based on open-source Apache Pulsar, is a streaming technology built for the requirements of high-scale, real-time applications.

    But DataStax wanted to help customers get data from their existing messaging platforms, as well as those who migrate to Pulsar, said Chris Latimer, vice president of product management.

    Continue reading
  • Infor to stop developing on-prem software for IBM iSeries
    ERP vendor had promised containerized options, but looks set to focus on the cloud

    ERP vendor Infor is to end development of on-premises and containerized versions of its core product for customers running on IBM iSeries mid-range systems.

    Born from a cross-breeding of ERP stalwarts Baan and Lawson, Infor was developing an on-premises containerized version of M3, dubbed CM3, to help ease migration for IBM hardware customers and offer them options other than lifting and shifting to the cloud.

    Infor said it would continue to run the database component on IBM i (Power and I operating system, formerly known as iSeries) while supporting the application component of the product in a Linux or Windows container on Kubernetes.

    Continue reading

Biting the hand that feeds IT © 1998–2022