News

Netcraft: MDAC Vulnerability Affects Small Number of IIS Servers

• By Scott Bekker
• December 02, 2002

Netcraft is well known for its monthly updates on the number of Web servers running Apache versus Internet Information Services. A Bloomberg news article about the MDAC vulnerability, a problem Microsoft labeled "critical," noted that Netcraft's figures put about 4 million active IIS servers out there -- making the vulnerability appear quite widespread.

But Netcraft says that in its own security testing business, it finds that the percentage of sites using the affected part of MDAC, the Remote Data Services, is very small.

"Approximately 8 percent of Microsoft-IIS sites tested in 2001 had RDS open to the public; in 2002 this has fallen to around 5 percent," Netcraft notes.

RDS is not enabled by default in IIS 5. RDS was introduced and enabled by default with IIS 4, but Microsoft's security checklists and IIS lockdown tool encourage Web masters to disable it.

"Almost no Microsoft-IIS/5.0 sites we have tested were offering RDS and the proportion of Microsoft-IIS/4.0 sites offering RDS is fairly stable at around one in four," Netcraft officials say. The caveats, according to Netcraft, are that its customer sample is fairly small and that sample is weighted toward IIS 5 customers. "But we think that only a fairly small section of the Microsoft-IIS community is likely to use RDS, and that it is rarely enabled on public sites."

Meanwhile, since October, Microsoft's IIS has enjoyed a slight gain in share among active Web sites, although the open source Apache Web server still dominates the market.

The November Netcraft numbers, released Monday, show IIS gained 0.53 points of share, climbing from 25.06 percent of active sites to 25.59 percent. In raw numbers, IIS sites went from about 4 million sites to nearly 4.25 million sites. Apache, meanwhile, stayed above 10 million active sites and runs nearly 65 percent of active sites, according to Netcraft.