IIS vs. Apache, Reported Vulnerabilities

And round and round we go again: history repeating itself one more time.

So what’s the newest Microsoft FUD [Fear, Uncertainty, and Doubt] tactic these days…

Apparent, its getting a bunch of bloggers and security experts to regurgitate a statement containing the abstract fact that Apache has 33 reported “vulnerabilities” to IIS’ 3.

How exactly those numbers directly translate into a Web Server’s security mark, is of course left out.

Lets look at this issue a bit closer:

Apache serves 2/3rd of the internet. It has thousands of developers and companies around the world working with the codebase: constantly securing, improving, developing, and moving Apache forward.

This is considered to be a *bad thing* by the Micosoft camp? Vulnerabilities should not be looked for, nor reported and fixed.

So I have just one question: how many vulnerabilities would be reported for IIS if the source code was open?

I think it might also be prudent to…

  1. Break down the numbers of vulnerabilities for Apache core and specific modules.
  2. Reflect on the seriousness of the reported vulnerabilities… Is this just theoretical, of insignificant nature, has an exploit been developed [how about 3 years after the fact]?
  3. The time period between a vulnerability being reported and fixed.
  4. How many of the reported vulnerabilities did you actually needed to respond to?

Take a look for yourself…
Securina.com: Apache 2.0 Vulnerabilities
Apache.org: Apache 2.0 Vulnerabilities and Fixes

Throwing out abstract statistics has no purpose other than spreading FUD.

Instead, why not report on the merits of IIS itself… Specifically, on the improvements and features of IIS 6 and 7.

Choosing Apache or IIS? Use Both

Why settle on just one Paradigm when you can have the best of both worlds? Use each Model with what it does best…

  • One Linux Server for Apache and PHP.
  • One Windows Server for IIS and ASP.NET.
  • Have one common database backend with SQL Server, MySQL, PostgreSQL, or Oracle.

Place Linux/Apache up front and ProxyPass requests/URLs to IIS, or use some other proxy server to handle the redirects.

And if you would like, everything can go under one Windows system by using WAMP. Just make sure to disable socket pooling.

In a way, with this method, you can also secure IIS by using mod_security under Apache. Though the days of IIS 5 are over, and I have to admit that IIS 6 and 7 are okay to stand on their own.

Apache vs. IIS

Recently, a few choice diagrams from the past of the mapped system calls that Apache and IIS perform have been making another round on the internet. So I thought I would add my 2 cents worth on the matter…

Why Windows is less secure than Linux

“Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture.”

Diagram of Apache’s internal system calls…
Apache System Calls

Diagram of IIS’s internal system calls…
IIS System Calls

I’ll let the images speak for them selfs, and comment on not the above, or the interpretation, but rather on the following…

“Apache cannot be compared to IIS. Apples and oranges!”

What… Why not? They have the same function, right?

“Apache, out-of-the-box, only serves static pages! It needs modules to add functionality. IIS, on the other hand, has all sorts of functionality built into it, such as running .NET applications and ASP.NET scripts. IIS is tied into Active Directory and many other Windows Server-specific technologies. It integrates with the OS!”

You say that like it’s a good thing.

“When you add enough extensions to Apache to provide it with abilities equivalent to IIS’s base functionality, it will make just as many system calls and be just as complex.”

We only have the baseline of what happens on one static HTML page and one image request. Anything else is a guess.

“Apache has 33 reported vulnerabilities. IIS has only 3 advisories!”

Apache? Meant to say “Apache modules”, didn’t you? As far as I know, having someone actually looking at the source, working out the bugs, *is* a good thing. The matter of people being sued and/or having their carriers ruined by reporting vulnerabilities of proprietary products also plays into this, don’t you think so?

“IIS has come quite a long way since the days of Windows NT/2000. IIS6 is a major improvement and IIS7 is a thing of beauty. When I show people how IIS 6 works, they become impressed.”

Maybe so.

Just to be fair, I will say this in defense of IIS…

Apache is written in C, while IIS is more of an OO C++ product — which can translate into more calls.

Taking another page from Apache’s playbook [good things get copied, right?]:

  • Microsoft has switched to a completely modular setup design with IIS7.
  • IIS 7 can now be configured from a text file (web.config).
  • IIS 7 can be administered from the command line with the Windows PowerShell administration environment.

“First they ignore you, then they laugh at you, then they fight you, then you win.” – Mahatma Gandhi.