![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
The August 2001 Netcraft Web Server Survey is out;
http://www.netcraft.com/survey/
Top Developers
Developer July 2001 Percent August 2001 Percent Change
Apache 18382308 58.73 17874757 58.08 -0.65
Microsoft 8099757 25.88 8146372 26.47 0.59
iPlanet 1345566 4.30 1321544 4.29 -0.01
Zeus 793587 2.54 811406 2.64 0.10
Active Sites
Developer July 2001 Percent August 2001 Percent Change
Apache 7314577 60.53 7156849 60.33 -0.20
Microsoft 3372341 27.91 3356363 28.29 0.38
iPlanet 282517 2.34 275619 2.32 -0.02
Zeus 184895 1.53 181098 1.53 0.00
Around the Net
Absolute number of sites found falls
The total number of sites in the survey actually fell this month, as a
result of failures and business model changes at several mass hosting
companies. Microsoft continues its recent gains, with a further half a
per cent rise, due in part to the remainder of a large domain hosting
system at Network Solutions completing a migration to Windows 2000,
and in part because it has far less exposure to the mass hosting
companies than Apache. Our data was collected at the start of the
month, and we will have a clearer picture of whether Code Red has
caused any significant movement away from Microsoft-IIS in September.
Code Red - the catalyst for internet security
The combination of the Code Red worm and the first cumulative patch
for Microsoft-IIS has significantly improved the security of
Microsoft-IIS systems on the internet. Figures are shown below are for
the vulnerability of Microsoft-IIS sites tested for the first time by
our [1]security services over the last year. This is typically in the
range of a few hundred systems in each month.
% of Microsoft-IIS SSL Sites Vulnerable
http://www.netcraft.com/survey/vuln.gif
May-01 Jun-01 Jul-01 Aug-01
Administration pages accessible 23.08% 35.71% 11.76% 10.26%
Cross-site scripting 73.08% 57.14% 36.47% 19.23%
URL decode bugs 34.62% 42.86% 32.94% 16.67%
Sample pages and scripts 15.38% 28.57% 14.12% 16.67%
Server paths revealed 36.54% 50.00% 22.94% 6.41%
Viewing script source code 25.00% 21.43% 11.18% 3.85%
WebDAV configuration 30.77% 50.00% 47.65% 43.59%
IIS .printer overflow 23.08% 21.43% 10.00% 2.56%
Code Red Vulnerable 0.00% 14.29% 34.71% 2.00%
root.exe installed 5.77% 7.14% 10.00% 12.82%
The table demonstrates in part the deep set complacency regarding
security amongst ecommerce sites, and in part the difficulties in
maintaining a reasonable level of security without the benefit of
regular external testing. The high visibility of Code Red induced many
ecommerce sites running Microsoft-IIS to patch their systems for the
first time, and the availability of a [2]cumulative patch has
eliminated a lot of earlier vulnerabilities from many sites.
Note that the patch does not necessarily remove the root.exe facility
installed by both sadmind/IIS and Code Red II. root.exe allows anyone
on the internet to have commands on the machine executed with web
server privileges, and can typically be used to set up logging of
credit card information and other sensitive data on SSL servers. This
has created a new class of ecommerce site which has been correctly
patched for known server vulnerabilities, but have a live backdoor
facility enabling attackers to continue to remain in control of the
machine. Currently around 12% of SSL sites running Microsoft-IIS
tested for the first time are in this state.
Self-interest dictates we mention that Netcraft's business includes
[3]automated penetration testing, [4]site audits, and [5]site
monitoring.
Itanium systems available shortly, and likely to extend the momentum
of Intel Architecture in Ecommerce
This week Microsoft [6]announced that Windows Advanced Server is
available for the new processor, and will start shipping within the
next month. Broadly similar announcements have been made by [7]Red
Hat, [8]Covalent, [9]Zeus. One of the key early adopter markets for
the Itanium will be SSL sites, as the Itanium has on chip crypto
instructions that provide a disproportionate improvement in the
performance of SSL transactions. One anticipates that all the Intel
based system vendors will quickly target this market as one of the
most compelling ways of selling the initially highly priced Itanium
systems. [10]Hewlett Packard's whitepaper extolling the SSL
performance of HP-UX and the Zeus web server is likely be the start of
a feeding freenzy of Intel-based vendors hungry for upgrade revenue
from their own userbase, and conversions of Solaris based ecommerce
sites.
Ashok Kumar of Piper Jaffray writing in an [11]article published on
news.com argues that "Sun will be a big loser [with] ... a significant
loss of share within two to three years to Itanium supporters such as
HP, IBM and Compaq." Broadly speaking, unless Sun produces something
exceptional, the advent of the Itanium is likely to amplify the trends
of the last two years, with Solaris slowly but steadily losing share
to Intel Architecture systems running both Linux and Microsoft
operating systems. The real skill is in picking the winners amongst
the different Intel aligned hardware and software vendors.
Dogfood
Brian McWilliams of [12]Newsbytes reports finding that [13]WebTV runs
Solaris 8 on [14]several servers.
Conversely [15]Link Exchange, which ran FreeBSD for a long time after
their acquisition by Microsoft now runs Windows 2000.
References
1. http://www.netcraft.com/security/
2.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codered.asp
3. http://www.netcraft.com/security/scheduled.html
4. http://www.netcraft.com/security/ecommerce.html
5. http://www.netcraft.com/security/dsm.html
6. http://news.cnet.com/news/0-1003-200-6991460.html
7. http://www.europe.redhat.com/products/linux/itanium.php3
8. http://www.covalent.net/company/press/news-20010410.php
9. http://www.zeus.com/
10. http://www.zeus.com/library/technical/hp_bench.pdf
11. http://news.cnet.com/news/0-1273-210-6602402-1.html
12. http://www.newsbytes.com/
13. http://www.webtv.com/
14.
http://uptime.netcraft.com/up/hosted?netname=WEBTV-BLK1,209.240.192.0,209.240.223.255
15.
http://uptime.netcraft.com/up/graph?site=www.linkexchange.com&submit=Examine
- - - - - - - - Commercial Internet Research from Netcraft - - - - - - - - -
Netcraft does commercial internet research projects. These include
custom cuts on the Web Server Survey data, hosting industry analysis,
corporate use of internet technology and bespoke projects. All of the data
is gathered through network exploration, not teleresearch.
sales@netcraft.com
- - - - - - - - - - - - - - Ecommerce Site Security - - - - - - - - - - - - -
We provide is a weekly network security test of customer networks
The service is described at
http://www.netcraft.com/security/scheduled.html
Also, we perform audits of ecommerce sites which involve code reviews of
the web applications.
Details at
http://www.netcraft.com/security/ecommerce.html
Clients include IBM, Hewlett Packard, Deloitte & Touche, Energis,
Britannic Assurance, Guardian Royal Exchange, Lloyds of London, etc
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
To unsubscribe from the Netcraft Web Server Survey Announcements list
send the message
unsubscribe webserver-survey
to majordomo@netcraft.com
To resubscribe send the message
subscribe webserver-survey
Mike
--
Mike Prettejohn
mhp@@netcraft.com Phone +44 1225 447500 Fax +44 1225 448600
Netcraft Rockfield House Granville Road Bath BA1 9BQ England