The Nimda worm began infecting systems on 18 September, damaging local files and remote network files. Nimda, which spread to tens of thousands of computers within a matter of hours, attacked the same vulnerabilities in IIS as the Code Red worm, which emerged in July and infected hundreds of thousands of systems.
Gartner said this trend showed how easy it is to attack Web servers based on IIS, which is used by an estimated six million Web sites worldwide. More than 10 security flaws affecting IIS or additional components of the software have been discovered this year alone.
"Using Internet-exposed IIS Web servers securely has a high cost of ownership," said Gartner analyst John Pescatore. "Enterprises using IIS Web server software have to update every IIS server with every Microsoft security patch that comes out - almost weekly. Nimda has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches."
Gartner said it is concerned that viruses and worms will continue to attack IIS until Microsoft releases a completely rewritten version of the software. It said companies should look at alternatives to IIS, including Web software from other suppliers such as iPlanet and Apache.
Microsoft disagrees with Gartner's recommendation, and users and analysts have also raised questions about the report's conclusions.
Kevin McCuistion, group product manager for Exchange at Microsoft, said, "Microsoft understands that security is a problem, but the Gartner recommendation is like saying, 'people have accidents in cars so you should stop driving'."
Some users questioned Gartner's conclusions and the security procedures of companies infected by Nimda, Code Red and other worms.
"[Gartner's] logic is completely flawed," said John Kenyon, president of e-commerce at Web services company FreshSpark. "Since the patches that protect against both Code Red and Nimda were publicly available well before either of these worms struck, it seems that enterprises that were struck by these viruses might do better to first consider an alternative to their server administrators."
Frank Prince, an analyst at Forrester Research, questioned how much blame could be put on Microsoft. "People attack systems that are broadly deployed," he said. "Firms have risk with the high-profile platforms no matter who built them."