Full Disclosure mailing list archives
Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Thu, 1 Jul 2004 19:16:03 -0500
"Barry Fitzgerald" <bkfsec () sdf lonestar org> wrote:
Matthew Murphy wrote: For instance, we can safely say that approx. 25% of all webservers are GNU/Linux and the vast majority of those run Apache. Of those, approximately 50% are the latest version of Red Hat (this is an assumption, but I think it's probably a fairly safe one). That's 12.5% of all of the web servers on the web running the same version of apache with, presumably, a significant portion of those running on ix86 based machines.
Okay, so let's translate that. In this case I'll use Code Red and Scalper as examples. At the time Code Red broke, IIS had approximately 30% of the market. At the time Slapper broke, Apache had approximately 65% of its market. At the time Code Red broke, ~ 90% (at least) of the market was using IIS 5.0. So, to approximate, that makes IIS 5.0 on Windows 2000 27% of the general market. As the number of systems running Windows 2000 on non-x86 architectures at that time was negligable, the theoretically infection-prone population based on an exploit able to target Windows 2000/x86 versions of IIS 5.0 would be 25-27% of the market in general. Apache, on the other hand, is split up into numerous platforms. Approximately 3% of Apache sites run Apache 2.x, which is significantly varied architecturally from the dominant Apache 1.3 series. So, approximately 63% of the vulnerable market ran Apache 1.3.x in some form, and therefore suffered from the chunked encoding exploit. However, the degree to which various platforms suffered from the exploit was different. For instance, it was found that Win32 systems were trivially exploitable, as were BSDs, but exploits did not appear with the same frequency for Apache on Linux, Solaris, etc., even though it has been rumored that such code existed. In the case of Scalper, the worm spread only to x86/BSD boxes running Apache 1.3. Assigning BSD ports of Apache the lion's share of the non-Linux market share seems accurate based on simply my personal experience. Apache.org itself runs FreeBSD, but Apache 2.0 serves it. Say that 40% of Apache 1.3's market share runs Apache 1.3 on some BSD-based OS, and would thus be vulnerable to Scalper. Even if you are to agree that nearly half of Apache's market share runs a vulnerable OS, that still puts the vulnerable Apache installations at roughly 25% of the web server market base. This is before you factor in that in such a large number of systems, those running non-IA32 CPUs would be significant, as BSD-based OSes are historically more easily ported to other CPUs. As you can see, the balance of easily-compromised systems (at least in terms of exploiting a single system combination) tilts toward IIS. Hence the reason that worms and other hostile code typically spread from/reach those platforms more effectively.
So, technically, while there's something to what you're saying, Apache still has a large enough market share to make it a juicy target for worms and exploits.
Right. The debate here isn't that Apache is a poor target, and people don't *write* worms for it (because, as Scalper and Slapper have shown us, they indeed do), but that a worm is inherently less likely to spread on Apache than its main competitor. Don't get me wrong -- nobody but Microsoft deserves blame for the holes in Microsoft's code, but mindless criticism of IIS on the basis that "Well, Apache has twice the market share and half the worm problem...", isn't fair to Microsoft.
The marketshare argument that's being bounced around is actually more of a psychological one dealing with the amount of percieved compromisable hosts and the glory of the target being attacked.
No debate here that people's reasons for writing the code plays into what they write it for. I was simply arguing the spread rate of a worm -- not how many there are.
Relying on the security of using something because fewer people use it is tantemount to security through obscurity, to me. Having said that, right now the most used browser is architecturally flawed, and it just so happens that the underdog browsers are better designed.
Although I have gained a reputation on the list as a defender of Microsoft, one thing you will never hear me defend: IE's (awful) security record. This is unfortunate for users and for Microsoft, because an otherwise improving security effort (Windows XP SP2, IIS 6.0, Windows Server 2003, come to mind), has really left IE behind. IE is unfortunately, one of their most used pieces of software, besides the OS itself. So, leaving IE behind has really hurt Microsoft, in terms of people's perception of it, and the security of Windows as a whole.
In the near future, that may not be the case. If all of this advice is heeded and Mozilla is adopted en masse, we may be talking about IE being the underdog browser and - my prediction - we'll still see people exploiting it because it will still be more exploitable than Mozilla. That is, of course, unless Microsoft makes massive changes to it's OS and rips OS code out of IE, completely redesigning it's security model -- but I don't see that happening for at least five years.
Likely to be the case, I'm afraid. The worst part of this is, there are more holes only waiting to be found. IE's exploit "gold mine" has not been dried up, unlike some products that suddenly see a rash of flaws discovered. IE has been consistently flawed for *years*, and new releases seem to make it worse, not better. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jun 30)
- <Possible follow-ups>
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Georgi Guninski (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Barry Fitzgerald (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Ron DuFresne (Jul 02)
- Critical update for IE disables the ADODB.Stream object insecure (Jul 02)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)