Thread: SANS says: IIS most vulnerable software

SANS an internet security institute publishes in his top twenty that IIS from M$ is one of the most vulnerable software packages on the M$ list. It is very sensitive for Denial of service attacks and sometimes can give very sensitive information to non authorized users. Next to IIS we see MSSQL, Windows login and Internet Explorer. In the unix top twenty of most vulnerable software it's BIND Domain Name System on number one, followed by RPC and Apache.

Read the whole article at SANS website

lol nice 1 so man MSSQL was insecure from the start.... spetialy with Google.... & all the other searsh bots out there

Yes but is it the product, poor administration or what? The identify where the weak points are but don't identify the "causes" that put those Applications into those weak situations.


The fact that BIND and apache are still top would have me nervous as well since Apache represents the vast majority of websites and BIND is the #1 DNS server (last figure I remember was 97% of all DNS servers).

cleanbash...you might want to read the rest of that article. it DOES NOT state that IIS is the most vulnerable software. indeed it is on the top of the list for M$ software, but if you look farther down on this article it also lists most vulnerable *nix software(you did mention the BIND and other issues???). as MsMittens mentioned, the fact that apache is on there should scare people more as it has the largest install base for webservers. it also has some of the same and even different exploits. IIS and Apache in their default configs are open to all sorts of nasty things, it takes an admin that knows their ****(or can read a lockdown checklist) to properly secure these apps. i for one have never had any of my IIS servers get compromised and i can assure you that you(depending on your age) have probably been to one of the sites that i manage.

this article is a good read for those not "in the know", but you should not try to slant your post as IIS is the most vulnerable software. remember this...NO SOFTWARE IS WITHOUT FLAWS..it takes a knowledgable admin to properly secure their installations.

Thanks ol jeb I changed it a little bit. (I read the article but when I wrote this topic I forgot to mention that it was on top of the M$ list).

Well, I'm impressed. I would have bet about SendMail being the most vulnerable *nix software. And it is only on 6th position.
As Ol Jeb said, many of those software need a correct configuration to be secure. I'm still surprised to view that some apps like Appache are so insecure by default, while some simple changes in default options could arise the level.

I don't know if it's Apache per say:

In addition to exploits in Apaches core and modules (CA-2002-27, CA-2002-17), SQL, databases, CGI, PHP vulnerabilities are all potentially exposed through the web server.

I wonder if it's the modules and other 3rd party add-ons that open it up to attacks. Certainly poor and insecure items like MySQL, Perl and PHP would open Apache to being vulnerable. A good example is when I went searching for information on the publisher of a book and found Google referencing a german MP3 site. Curious as I was, I went to check it and found a php page that had a data entry box with a button labelled "run command". So I did an ls -l and lo' and behold got directory. I even did a cat /etc/shadow and eventually did a write to root to tell them either the user had poor directory permissions or someone compromised their server.

Look at the dates of the CVE. There were only 4 for Apache for 2003 and 2 for 2002. But a whack of them appeared in 1999. All of the "top 10" are culmulative rather than indicative of time. Products do change and developers do learn from their past.

Heck, for BIND there isn't a single vulnerability for 2003 in the CVE. And yet, it's number 1. Why?

Chief among them are administrators who are not aware of security upgrades, systems which are running BIND daemon (called "named") unnecessarily, and bad configuration files.

Strikes me as this may not be an entirely accurate top 10.