Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Thu, 1 Jul 2004 19:16:03 -0500

"Barry Fitzgerald" <bkfsec () sdf lonestar org> wrote:

Matthew Murphy wrote:
For instance, we can safely say that approx. 25% of all webservers are
GNU/Linux and the vast majority of those run Apache.  Of those,
approximately 50% are the latest version of Red Hat (this is an
assumption, but I think it's probably a fairly safe one).   That's 12.5%
of all of the web servers on the web running the same version of apache
with, presumably, a significant portion of those running on ix86 based

Okay, so let's translate that.  In this case I'll use Code Red and Scalper
as examples.  At the time Code Red broke, IIS had approximately 30% of the
market.  At the time Slapper broke, Apache had approximately 65% of its
market.  At the time Code Red broke, ~ 90% (at least) of the market was
using IIS 5.0.  So, to approximate, that makes IIS 5.0 on Windows 2000 27%
of the general market.  As the number of systems running Windows 2000 on
non-x86 architectures at that time was negligable, the theoretically
infection-prone population based on an exploit able to target Windows
2000/x86 versions of IIS 5.0 would be 25-27% of the market in general.

Apache, on the other hand, is split up into numerous platforms.
Approximately 3% of Apache sites run Apache 2.x, which is significantly
varied architecturally from the dominant Apache 1.3 series.  So,
approximately 63% of the vulnerable market ran Apache 1.3.x in some form,
and therefore suffered from the chunked encoding exploit.  However, the
degree to which various platforms suffered from the exploit was different.
For instance, it was found that Win32 systems were trivially exploitable, as
were BSDs, but exploits did not appear with the same frequency for Apache on
Linux, Solaris, etc., even though it has been rumored that such code

In the case of Scalper, the worm spread only to x86/BSD boxes running Apache
1.3.  Assigning BSD ports of Apache the lion's share of the non-Linux market
share seems accurate based on simply my personal experience.  Apache.org
itself runs FreeBSD, but Apache 2.0 serves it.  Say that 40% of Apache 1.3's
market share runs Apache 1.3 on some BSD-based OS, and would thus be
vulnerable to Scalper.  Even if you are to agree that nearly half of
Apache's market share runs a vulnerable OS, that still puts the vulnerable
Apache installations at roughly 25% of the web server market base.  This is
before you factor in that in such a large number of systems, those running
non-IA32 CPUs would be significant, as BSD-based OSes are historically more
easily ported to other CPUs.

As you can see, the balance of easily-compromised systems (at least in terms
of exploiting a single system combination) tilts toward IIS.  Hence the
reason that worms and other hostile code typically spread from/reach those
platforms more effectively.

So, technically, while there's something to what you're saying, Apache
still has a large enough market share to make it a juicy target for
worms and exploits.

Right.  The debate here isn't that Apache is a poor target, and people don't
*write* worms for it (because, as Scalper and Slapper have shown us, they
indeed do), but that a worm is inherently less likely to spread on Apache
than its main competitor.  Don't get me wrong -- nobody but Microsoft
deserves blame for the holes in Microsoft's code, but mindless criticism of
IIS on the basis that "Well, Apache has twice the market share and half the
worm problem...", isn't fair to Microsoft.

The marketshare argument that's being bounced around is actually more of
a psychological one dealing with the amount of percieved compromisable
hosts and the glory of the target being attacked.

No debate here that people's reasons for writing the code plays into what
they write it for.  I was simply arguing the spread rate of a worm -- not
how many there are.

Relying on the security of using something because fewer people use it
is tantemount to security through obscurity, to me.  Having said that,
right now the most used browser is architecturally flawed, and it just
so happens that the underdog browsers are better designed.

Although I have gained a reputation on the list as a defender of Microsoft,
one thing you will never hear me defend: IE's (awful) security record.  This
is unfortunate for users and for Microsoft, because an otherwise improving
security effort (Windows XP SP2, IIS 6.0, Windows Server 2003, come to
mind), has really left IE behind.  IE is unfortunately, one of their most
used pieces of software, besides the OS itself.  So, leaving IE behind has
really hurt Microsoft, in terms of people's perception of it, and the
security of Windows as a whole.

In the near future, that may not be the case.  If all of this advice is
heeded and Mozilla is adopted en masse, we may be talking about IE being
the underdog browser and - my prediction - we'll still see people
exploiting it because it will still be more exploitable than Mozilla.
That is, of course, unless Microsoft makes massive changes to it's OS
and rips OS code out of IE, completely redesigning it's security model
-- but I don't see that happening for at least five years.

Likely to be the case, I'm afraid.  The worst part of this is, there are
more holes only waiting to be found.  IE's exploit "gold mine" has not been
dried up, unlike some products that suddenly see a rash of flaws discovered.
IE has been consistently flawed for *years*, and new releases seem to make
it worse, not better.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]