Apache 2.0 Beats IIS at Its Own Game
By Jim Rapoza
eweek.com
Enterprises last week had 11 more reasons to rethink using IIS: 10 new security holes in the Microsoft Web server and the arrival of Apache 2.0.
After three years of development, Apache 2.0 (or, more accurately, Version 2.035) has finally been released. Unix users will find plenty to like in Version 2.0, but the biggest impact will be on Windows servers, where Apache can now perform as a production-level Web server.
Unlike previous Windows versions of the open-source server, which were built from ported Unix code, the new version is written as a native Windows application and is recommended by the Apache Software Foundation for production use.
And, based on our tests, we agree. eWEEK Labs compared the performance of Apache 2.0 and Microsoft Corp.'s Internet Information Services 5.0, both running on Windows 2000 Advanced Server. Apache kept pace with IIS during the entire test, which means that sites that move from IIS to Apache 2.0 on Windows won't have to worry about taking a performance hit.
When it comes to security, IIS doesn't come close to Apache. Apache's security track record is excellent, while IIS has taken hit after security hit. Just last week, Microsoft announced that 10 new security holes (several of which were serious buffer overruns) had been discovered in IIS.
One potential gotcha for organizations that wish to move to Apache from IIS is the open-source server's unfriendly administration interface: All configuration and administration is done by editing .conf files, although Version 2.0 has greatly streamlined configuration directives.
This gotcha may actually be a grabber for some: Many experts advise disabling administration interfaces, especially Web-based ones, because they are a potential attack point for hackers. Those who want a browser-based management interface despite the security risks can find it in Apache implementations from Covalent Technologies Inc. and IBM.
Of course, not all the benefits of Apache 2.0 are for Windows users—Apache also runs on every version of Unix, as well as on Mac OS, BeOS and OS/2. Companies with Unix versions of Apache will find that the server has been completely redesigned and can take advantage of POSIX support to run in a multiprocess, multithreaded mode that provides much greater scalability than before.
On Unix, don't expect a big performance boost with the new release. In tests of Apache 2.0 vs. Apache 1.3.24 running on Red Hat Inc.'s Red Hat Linux 7.2, performance was nearly identical (though still very good). However, platforms such as Solaris and AIX, where a process switch is relatively slower than it is on Linux, will benefit much more from Apache 2.0's hybrid process/thread design.
Apache modules are also significantly different in Version 2.0. The API for writing modules is completely new, and modules can now run as filters, giving them greater flexibility to act on content delivered from the server.
Most core modules of the server were available at press time, but several had yet to be ported to Version 2.0.
Because of the magnitude of some of these changes, eWEEK Labs recommends that any site planning a move to Apache 2.0 first set up a system on which it can test all its Web applications and specific setups to make sure they work well on the new server.
Apache 2.0 can be downloaded at httpd.apache.org.
Thanks to slashdot.org
Microsoft Warns of 10 IIS Flaws
By Dennis Fisher
eweek.com
In a move of virtually unprecedented scope, Microsoft Corp. on Wednesday released a bulletin warning of 10 new security vulnerabilities in several versions of its IIS Web server, several of which could give an attacker total control over a vulnerable system.
The vulnerabilities affect Internet Information Server 4.0, 5.0 and 5.1 in varying degrees. A cumulative patch is available for all of the new flaws here.
The most serious flaws are five separate buffer overruns in various parts of the code. There are two overruns in the data transfer mechanism in the Active Server Pages code, each of which could be exploited by overrunning the system's heap memory. This attack would either crash the IIS service or allow the attacker to run whatever code he chooses on servers running IIS 4.0.
Default installations of IIS 5.0 and 5.1 would give the attacker a lower set of privileges, the Microsoft bulletin said.
There are three other buffer overruns as well, one affecting the processing of HTTP headers; one resulting from an improper safety check during server-side includes; and another affecting the HTR ISAPI extension in IIS 4.0 and 5.0.
This bulletin is the latest in a series of fixes for the various versions of IIS, which has been much maligned in the last year. It was the target of choice of both the infamous Code Red worm and the Nimda worm, and its spate of security problems, in part, led to the development of Microsoft's current Trustworthy Computing initiative.
Microsoft officials acknowledge IIS' spotty record, but contend that buffer overruns—the most common of security vulnerabilities--are an industrywide problem, and one that the company is trying to root out.
"Buffer overruns are frequently sought after vulnerabilities by people doing security research and people who want to attack systems," said Scott Culp, manager of the Microsoft Security Response Center in Redmond, Wash. "We're trying to get better about eliminating them in our code. When they're found, they're frequently serious."
The overruns described in this latest bulletin have more serious consequences for systems running IIS 4.0, Culp said, because later versions of the product have improved security models that prevent the flaws from granting attackers system-level privileges.
IIS 4.0 only installs as part of the Windows NT 4.0 Option Pack. IIS 5.0 installs as part of Windows 2000 and runs by default on Windows 2000 Server, but must be turned on manually on workstations running that operating system, Culp said. And IIS 5.1 is only installed as part of Windows XP Professional.
In addition to the buffer overruns, the new bulletin also warns of two denial-of-service vulnerabilities and three cross-site scripting problems in IIS.
|
