Linked by Thom Holwerda on Fri 14th Apr 2006 21:31 UTC, submitted by Dylan
Privacy, Security, Encryption "Windows has grown so complicated that it is harder to secure. Well, these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture. A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications."
Thread beginning with comment 114965
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Easy..
by smashIt on Fri 14th Apr 2006 22:55 UTC in reply to "RE: Easy.."
smashIt
Member since:
2005-07-06

Is that really true, though? According to Netcraft, Apache runs 64% of web servers on the internet, while IIS runs 25%. By your logic, exploits of Apache should be far more common than exploits of IIS. However, in practice, we see the opposite to be true.

i don't know from where you get your information, but to me it looks a bit different:

IIS: http://secunia.com/product/1438/
Apache: http://secunia.com/product/73/

Reply Parent Score: 4

RE[3]: Easy..
by Lettherebemorelight on Fri 14th Apr 2006 23:03 in reply to "RE[2]: Easy.."
Lettherebemorelight Member since:
2005-07-11

Did he say his statement was limited to Apache v2 and IIS v6?

Reply Parent Score: 1

RE[4]: Easy..
by sappyvcv on Fri 14th Apr 2006 23:45 in reply to "RE[3]: Easy.."
sappyvcv Member since:
2005-07-06

It still applies. I'm fairly certain Apache 2.x is more common than IIS6.

Reply Parent Score: 2

RE[4]: Easy..
by DKR on Fri 14th Apr 2006 23:45 in reply to "RE[2]: Easy.."
DKR Member since:
2005-08-22

The number of vulnerabilities doesn't matter if the open source world can fix them near instantly.

Secunia's data is also often outdated.

Also, Microsoft doesn't publish all of their vulnerabilities because they have something to lose if they did: shareholders.

dude, get the real facts.

http://www.theregister.co.uk/security/security_report_windows_vs_li...

Reply Parent Score: 0

RE[3]: Easy..
by dylansmrjones on Sat 15th Apr 2006 09:49 in reply to "RE[2]: Easy.."
dylansmrjones Member since:
2005-10-02

According to danish Secunia IIS6 has twice as many open security holes, than does Apache 2.0.x.

So we can conclude this: IIS6 has had fewer advisories, however they have not been parched (closed). Apache 2.0.x has had many more advisories, however all but one has been patched (closed). This leaves 2 unpatched for IIS6 with 1 unpatched for Apache 2.0.x

You can probably figure a lot of other things to do with statistics. Do that and then we can all bash each other with wonderfully meaningless statistics.

Final conclusion: When comparing apples with oranges, apples tend to have more worms than oranges, unless the oranges aren't really oranges but actually rotten apples, and one cannot see the difference. Or perhaps it's the apples which are unripe, or combination of all. (It doesn't make any sense, but neither does statistic when used this way.)

Reply Parent Score: 0

RE[4]: Easy..
by sappyvcv on Sat 15th Apr 2006 14:43 in reply to "RE[3]: Easy.."
sappyvcv Member since:
2005-07-06

Got a link?

Secunia.com shows 2 vulnerabilities for IIS6, neither of which is highly critical.

It also shows 30 for Apache 2.0.x, 2 of which are unpatched, (one is which claims to have been reported in march 2004). Now, I don't know how accurate all this is, but I haven't seen any sites that contradict this information.

IIS4 and IIS5 were complete shit security wise. Microsoft actually took the time and got IIS6 right with security, and are now trying to get all the *other* stuff right with IIS7. I probably still won't use it though, as I'm not a huge fan of ASP.

Reply Parent Score: 1

RE[4]: Easy..
by ma_d on Sat 15th Apr 2006 20:20 in reply to "RE[3]: Easy.."
ma_d Member since:
2005-06-29

Ah, logic on an analogy ;) . (I'm giving you a hard time, I know you were kidding).

Reply Parent Score: 1