When I attended the Microsoft Technology Summit a couple months ago, I remember that one of the presenters proclaimed that IIS 6.0 was more secure than Apache. This was met by some disbelieving groans from the Java/Open Source audience. Recently, however, I've been researching IIS 6.0 for a report I'm working on. I was surprised to discover that Microsoft IIS 6.0 had many fewer reported security vulnerabilities compared to Apache HTTP Server in 2004.
According to Secunia, which monitors security vulnerabilities for over 4,500 products, Internet Information Server (IIS) 6.0 had only two security vulnerability alerts in 2004 one of which was moderately critical and the other was not critical. In comparison, The Apache HTTP Server 2.0, had twelve security vulnerabilities alerts in the same period ranging from moderately critical (42%) to less or not critical (58%). Similarly, the Open Source Vulnerability Database (OSVDB), and independent open source vulnerability database, reported twelve vulnerabilities for Apache HTTP Server 2.0 in 2004 compared to one vulnerability reported for Microsoft IIS 6.0 in the same period.
In the terms of market share, however, we have to consider the fact that, according to Netcraft.com, Apache was used by 68% of domains while Microsoft IIS is used in 21% at the end of 2004. Obviously, the vulnerability data shown above not definitive proof that IIS 6.0 is more secure than Apache 2.0, but it is intriguing. According to an article by Marcin Policht as well as a more recient article by Rohyt Belani and Michael Muckin, Microsoft made a number of improvements to IIS 6.0 to harden the platform. Perhaps Microsoft Secure Computing initiative is starting to pay off.
I would be very interested in hearing about more data that either supports or refutes the data I found on the two vulnerability databases. The more data, the better.
Update: 4 hours later
Just found this interesting post from April 12th, on AskTech.com
"This week, Microsoft security is dropping off eight updates to cover 18 vulnerabilities in a range of widely deployed products...In all, Microsoft is patching five vulnerabilities in the TCP/IP stack, the most serious of which could let an attacker install programs; view, change or delete data; or create new accounts with full user rights."
Obviously, the TCP/IP stack is used by IIS 6.0, so this would seem to indicate that the vulnerability databases data are not the last word. The question is, were these TCP/IP vulnerabilities ever exploited? Or are they vulnerabilities that Microsoft got wind of and fixed themselves before anyone could exploit them?
I have to admit I'm not a security expert. I did, however, consult a security expert who told me this:
Keep in mind that the open source community tends to report (and fix) many more vulnerabilities than commercial vendors. So you can’t measure security by the number reported vulnerabilities alone, you also need to evaluate architecture, style of use, level of threat interest, and consequences of reported attacks.
It is nonetheless an interesting data point that IIS 6.0 got through one year with only 2 vulnerabilities that Microsoft felt forced to acknowledge, or that could be substantiated and published by independent researchers. This is clearly proof that IIS has become less insecure.