A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used. From a report on PCWorld: The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003. Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.
Why would someone run a Microsoft web server vs. Nginx on OpenBSD?
Just asking, cuz I honestly can't fathom a situation where this would be desirable??? Maybe I'm missing something?
You're missing the baseball/handegg/etc tickets someone high in your company got.
This pretty much summed up our last CIO Meeting.
It doesn't matter how secure your OS is if you're running a vulnerable web server. If you open telnet on OpenBSD, you can consider yourself pwned.
Nginx has a better record that IIS, but you know, it's not perfect [cvedetails.com]. Maybe you can run a proxy in front of it to defend against security vulns.
ASP.NET, C# and .NET are actually quite good. (Score:3, Insightful)
I suppose you've never used ASP.NET or C# or .NET at any point.
.NET at any point.
Well, it turns out that they're actually quite good. Their biggest drawback, until recently, was that they were only supported on Windows.
But in terms of functionality, they're even still lightyears ahead of anything the open source community has managed to create.
ASP.NET is a sane, sensible way of building large-scale web applications and web APIs. It provides useful abstractions, but without going totally overboard like so many Java web frameworks.
This may be so. And I'm not going to get pulled into a discussion of how good/bad
.NET and its minions are. But it raises the question of why these organizations haven't moved up to a current, supported version of Windows Server and IIS.
Because rewriting all your ASP.NET apps to run under nginx costs a lot for little noticeable business benefit.
Off the top of my head:
-Dependency on a microsoft technology from that era, eg ActiveX
-The application it runs was made by a consulting company and cannot be upgraded/replaced with something else without undo cost
-Because the administrator was/is a Minesweeper Consultant and Solitaire Expert who doesn't know anything about this linux stuff
-There is no administrator at all and the server is basically some dust-collecting artifact somewhere, running forever until the hardware fails.
There's nothing you can do about idiot admins (Score:3)
Extended support finished 2 years ago yet apparently there are still many admins (I used that term advisedly) running public facing websites who think its perfectly acceptable to run this software. This is beyond moronic but short of giving them all a royal kick up the backside I can't see a solution unless the companies involved fancy paying MS $$$ for a fix just for them.
You'll be hard pressed to find even a Windows admin who wants to run 2003-era stuff now. But due to the high cost of Windows infrastructure , reluctant beancounters, and their lack of political savvy they have neither the manpower nor the budget to upgrade, and lack the confidence to quit over it.
Sure it's based on bad decisions from the past, but today they are paying the bill. And that cost may be having all of their private data exfiltrated.
The weak and foolish perish - same as always.
this is more about idiot developers who go all autistic at the thought of having to lift a finger to change code that won't work on newer versions of IIS
From 2003? (Score:3)
independent web server surveys suggest that IIS 6.0 still powers millions of public websites
Whaa?? Who runs a public web site on a 14-year old version of the server???? [builtwith.com] That site claims 8 million of them!
But that's what you get for choosing a MS product.
As comparison: apache moved on to apache2 but you can still run apache(1) if you choose to, no matter the OS.
Its worse enough having to upgrade your servers to a new OS every few years. Its even worse to upgrade all web and database stuff to newer and usually not backward compatible stuff.
Only idiots think 5 years is a long time. Plenty stuff out there survives a few decades. Its not the new and shiny stuff that rules the cyberspace world but more often than not the old and stable stuff.
Use Linux (Score:2)
Use. Linux.