Web Server Security has been at the forefront of the news throughout the last month, with the archive site attrition.org announcing that it had received a list of around 9000 Microsoft-IIS sites that had been successfully been taken control of by attackers. Subsequently Attrition statedthat it would stop archiving mirrors of such sites as it was unable to keep pace with the number of successful attacks. Recently it has been receiving over 100 reports of successful attacks in a single day, more than for the entire years of 1995 & 1996.
Albeit released closer to June 1 than May 1, the Netcraft survey of Web servers has the Apache Web server slightly declining in market share.
CERT is also reporting on the sadmind/Microsoft-IIS vulnerability which is being actively exploited despite patches being available from Microsoft since October last year.
Separately, the main www.apache.org site and www.sourceforge.net which hosts a large number of free software projects were both compromised via a sniffing attack. Projects are currently undertaking code reviews to determine whether any covert channels have been placed in the source code.
The Microsoft-IIS and apache.org attacks raise the possibility of very large numbers of machines falling under the control of a single person, or group of people acting in concert, as Microsoft and Apache between them account for the great majority of Internet web sites. Indeed, there is a chance that this may have already happened.
Netcraft believes that it is more likely that the number of compromised Microsoft-IIS sites is in the order of hundreds of thousands rather than the 9000 figure widely reported in secondary coverage of attrition.org. In our own network security testing business, around a third of the 41 Microsoft-IIS servers we have tested for the first time since the attrition.org posting have been vulnerable, while 4 had already been exploited, and taken control of by an attacker without the knowledge of the site owner. Around half of the internet’s ecommerce sites run on Microsoft-IIS, and there is the potential for a great deal of economic damage.
Traditionally the mainstream media portrays this scenario as having been created by the software developer, who should have been more careful when coding, but this seems to be pointing the finger in completely the wrong direction when a well documented patch has been available for six months, or in the case of the Apache, a crack code review team is assembled within hours of finding the intrusion.
Currently many ecommerce site owners operate without any regular security testing, and it is shocking to see third party privacy and encryption assurance seals giving the internet community confidence that it is safe to shop on servers which have not been patched or upgraded in a year, are patently vulnerable and possibly already under the control of a criminal third party.