Apache and Internet Information Services (IIS) Web servers are equally at fault for pumping malware into the wild, according to a new study, but a higher percentage of IIS servers are compromised.

Those results come from a survey by the Google Anti-Malware Team. The results, however, should be taken with a grain of salt, since myriad mitigating factors are at work. Apache is an open-source Web server, while IIS is Microsoft's Web server.

The two servers are by far the most popular on the Internet, handling 89 percent of all traffic. Google examined about 70,000 domains in the last month that have been distributing malware, and determined that both Apache and IIS are responsible for pushing out 49 percent of the viruses and exploits. Since Apache is running on almost three times as many servers -- 66 percent to 23 percent -- as IIS, the percentage of IIS servers that are compromised is much higher. Google states in the study that "Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server."

See full article @ Ent News

At TechEd 2007 this morning, Microsoft's senior vice president Bob Muglia generated the biggest applause of the day (not related to the Christopher Lloyd cameo) by announcing the new Server Core installation option in the forthcoming Windows Server 2008 will have as one of its ready-made "roles" the ability to rapidly appropriate Internet Information Services in a command-line-only environment.

This role should make it tremendously easier for admins to provision and deploy low-overhead Web services very rapidly, and could finally close the similarities gap between itself and the world's most deployed Web server software, Apache.

Full Story @ Beta News

Saying that an Internet Information Server exploit is due to a feature, not a flaw, Microsoft has published exploit code for the flaw but no workaround or patch.

The exploit, which was discovered on Dec. 15, 2006, and made public at the end of May, works against IIS 5.x. By design, versions 5.x allow bypass of basic authentication by using the "hit highlight" feature. The hit-highlighting feature can be used by an unauthorized user to grab documents to which he or she has no privileges.

At the very least, this leaves IIS 5.x users vulnerable to data interception. And while the exploit hasn't been used to take over systems to date, that could well change, according to Swa Frantzen of the Internet Storm Center.

The ability to execute code is "unexplored, but hinted about," Frantzen wrote in a blog post on SANS' Internet Storm Center security alert site.

The ISC has tracked public exploits that apparently focus on leaking protected information.

According to Microsoft, which has written up the issue in its Knowledge Base article 328832, hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.

Microsoft "strongly [recommends] that all users upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security," the company wrote in its KB article.

Microsoft is currently shipping IIS 6.0 of the Internet Information Services Server for Windows Server 2003. Microsoft is up to IIS 7.0 for Windows Vista and IIS 5.1 for Windows XP Professional.

What are the security issues with Microsoft's "Surface"? Click here to read more.

Yet, in spite of urging upgrading in order to gain improved security, Microsoft is treating the bug as a nonissue, providing no workaround nor indications that it will patch versions 5.0 and 5.1. "This behavior is by design," the KB article asserts.

Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit—a response that is "a bit atypical," according to Frantzen. "Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around," Frantzen wrote.

The only defensive information Microsoft gives is to urge users to upgrade to 6.0—an upgrade that's neither free nor easy, Frantzen pointed out. He provided these possible workarounds:

• If you don't use the Web hits functionality, a simple workaround would be to remove the script mapping for .htw files. Without a script mapping, IIS should treat the file as static content.
• Try to use application-level firewalls (filters). If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.
• URLScan, a URL filter by Microsoft can be used to stop access to .htw files and is reported by some SANS-ISC readers as being effective.
• Manage rights on the confidential files or directories themselves.
• Upgrade to Apache or another Web server, with or without a (cross) upgrade of the OS.
• Scramble an upgrade to Windows 2003, potentially on more potent hardware.

Frantzen advised IIS 5.x users that failing to find "null.htw" in a document root directory doesn't mean much—the exploit doesn't need the file.

Microsoft hadn't delivered a statement by the time this story posted.