September 25, 2001 6:35 AM PDT
Gartner: Companies should drop IIS
Last week, the mass-mailing computer worm Nimda was released into the wild. It combined elements of the Web-based Code Red virus and attacked the same buffer-overflow vulnerability in Microsoft's IIS software. In a new report, Gartner recommends that companies affected by both worms should consider moving their Web applications to a more secure format.
"Using Internet-exposed IIS Web servers securely has a high cost of ownership," states the Gartner report. "Nimda has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches."
Some antivirus experts dismissed the Gartner warnings as "knee-jerk" and "unnecessary."
Graham Cluley, senior technology consultant at security firm Sophos, is concerned that a mass move to alternative Web server software would cause more disruption than sticking with Microsoft IIS and patching it.
"Code Red was less about the vulnerability of IIS--as all software has bugs--but more about system administrators ignoring the warnings that came well in advance of Code Red," said Cluley.
According to Gartner, iPlanet and Apache offer advisable alternatives to Microsoft's server software.
"Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers," the report states.
Gartner analysts predict that it might be late next year before Microsoft's server software is safe enough for corporations.
"Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS," the report says.
The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers often is for their worm to achieve the biggest impact, so they target widely used technology.
"Microsoft is targeted as it is so popular, rather than the system being the least secure," said Cluley. "There are few viruses for the Macintosh in comparison to the PC, as the hacker will be going for the most popular platform," he said.
"Gartner's recommendations ignore the fact that security is an industrywide challenge, and serious vulnerabilities have been found in all server products and platforms," said Jim Desler, a Microsoft executive. "IIS is as secure as our competitors' products, and what differentiates Microsoft is our industry-leading response process," he said.
Staff writer Wendy McAuliffe reported from London.