XP is selling in retail channels at a rate that's about a third less than Windows 98 did at this stage, according to New York-based market-research company NPDTechworld. But thanks to preinstallation on new PCs, about seven million to 10 million copies of XP (and growing) are now running. That's an awful lot of machines that may become "zombies" in future DoS (denial of service) attacks due to XP's "UPnP" security hole. (See here for an explanation and a patch).
In a related development, security expert Steve Gibson recently released a small utility called ID Serve. It allows web surfers to easily see whether an e-commerce site that's asking for their credit card number is or is not running Microsoft's IIS (Internet Information Server) software.
Last year's worm wars gave Microsoft's web server product such a bad name among IT professionals that many of them joked that IIS stands for "It Isn't Secure". The Code Red and Nimda worms affected hundreds of thousands of IIS machines at the height of their exploits, and thousands of hacker backdoors remain in place even today.
Server software figures from Netcraft, a research group in England, reveal serious cracks. "One in 10 of the [IIS] e-commerce and encrypted transactions sites tested by us had backdoors in place to allow external attackers to monitor the systems, or have commands executed on the machines," Netcraft said in November. That's after many, many servers had been patched, but by no means all.
Besides reassuring cautious credit card users, ID Serve also allows users to determine the domain name associated with a given IP address. This can help you identify intruders your firewall may have detected. ID Serve and Gibson's descriptions of various IIS problems can be found here.
It's not as if it's impossible to make software that's more secure. Wim Vandeputte, technology chief of Custodix.com, a provider of trusted services, notes that the OpenBSD operating system he uses "hasn't suffered from a remote hole in the default install in over four years".
In a similar vein, Gibson says the last serious remote-code execution vulnerability to hit the Apache web server was back in 1997. "IIS has them monthly." Knowing that you may need to patch a product next month and again the month after doesn't make you feel as secure as using a product that's well-tested. Partially as a result, Apache server software enjoys twice IIS's market share in Netcraft's latest survey.
Microsoft has some of the world's best developers, but it still pushes some half-baked products.
Send tips to firstname.lastname@example.org.