Doubts cast on Microsoft security

The analyst firm Gartner has warned users hit by the Code Red and Nimda worms to "immediately investigate alternatives" to...

The analyst firm Gartner has warned users hit by the Code Red and Nimda worms to "immediately investigate alternatives" to Microsoft's Internet Information Server (IIS), because other Web server applications have better security records.

IIS is used by an estimated six million Web sites worldwide. The frequent discovery of security vulnerabilities in the software means those Web sites are constantly open to new attacks.

More than 10 security flaws affecting IIS or various additional components of the software have been discovered this year alone.

Microsoft offers frequent patches on its Web site for these flaws and has a large network of support personnel working with customers to give them information about patches. Nevertheless, most of the major worms that have caused trouble in 2001 have exploited problems in IIS.

Gartner's recommendation was released in the same week as the Nimda worm used months-old vulnerabilities in IIS, Microsoft's Internet Explorer Web browser and other software to spread to tens of thousands of computers in a matter of hours.

The Code Red worm, which infected hundreds of thousands of IIS systems in July and August, also crept into servers lacking the patch released in June.

The central role of IIS in these incidents, and the need for constant patching of other Microsoft products, led to the Gartner recommendation, written by Information Security Strategies analyst John Pescatore.

The number of worms and the need for patches to combat them means IIS is labour and resource-intensive as well as risky, Pescatore wrote. In addition, the high visibility of IIS made the software a bigger target for attack.

A new version of IIS needs to be written from the ground up and publicly tested, said Pescatore - an event he did not envisage happening before the end of 2002. Until then, companies should seek out alternatives, he concluded.

Not surprisingly, Microsoft disagreed with Pescatore's recommendation. So too do many users and analysts.

"The Gartner recommendation ignores the fact that security is an industry-wide issue and that serious security vulnerabilities have been found in all Web server products and platforms," including IIS, said a spokesman for Microsoft. IIS is "as secure as our competitor's products", he added.

Some users questioned Gartner's conclusions as well as the security procedures used by companies infected by Nimda, Code Red and other worms, despite patches being available.

"[Gartner's] logic is completely flawed," said John Kenyon, president of e-commerce and Web services company FreshSpark. "Since the patches that protect against both Code Red and Nimda were publicly available well before either of these worms struck, it seems that enterprises that were struck by these viruses might do better to first consider an alternative to their server administrators."

"If security is ever going to really be an enabler [of new products and services], we can't say 'stop using software solutions', " said Pete Lindstrom, an analyst with Hurwitz Group.

The cycle of patches and human administration may not be the answer, he added. The future may lie with managed security services and software add-ons to IIS offered by third-party companies.

Forrester Research's Frank Prince also questioned how much blame could be heaped on Microsoft.

"People attack systems that are broadly deployed," he said. "Firms have risk with the high-profile platforms no matter who built them."

Hurwitz's Lindstrom did not believe that the Gartner report would necessarily lead to many IIS users switching platforms.

Companies have substantial investments in their software and applications and it is "completely unreasonable to believe that you could just do that," he said.

Microsoft wasn't surprised by the criticism, said a spokesman for the company. "We're an industry leader. We're held to a higher standard. We understand that and accept that responsibility," he said.

"We've got many more problems looming on the horizon if we don't change the paradigm [of how we think about and administer security]," he added.

Read more on Business applications