Info-Tech Advisor - Research Note

Drop IIS 4 and 5 Now

Info-Tech Advisor: Research Note

Published: November 21, 2006

Port80 Software periodically surveys Fortune 1000 companies to discover what publicly-facing Web server each uses. Just released in October, the results from August 2006 confirm that IIS owns twice the market share of Apache in the Fortune 1000 space.

IIS 4 and 5?

Alarmingly, eight surveyed enterprises still use IIS 4. Version 4 was abandoned by Microsoft in December 2004, leaving it open to future exploits for which there will be no patches. After its launch in 1998, IIS 4 required almost monthly patches until version 5 shipped in 2000.

Common attacks against IIS 4 and 5 included:

Buffer overruns. Failure to check buffers allowing exploits by URL formation and file download requests. Attackers simply sent more information than expected to overflow the buffer with commands not normally executable by an end user.
Source code exposure. HTTP headers could be crafted that could trick IIS into revealing informative source code information.
Script insertion. Failure to filter script input-enabled man-in-the-middle...

First ITA Research Note

Back to Current Research

Last ITA Research Note

This article is available in full to members of Info-Tech Advisor.
Already a member? Please log in.

Username:
Password:

Remember me:

I forgot my password.

E-mail address:

I am not an Info-Tech Advisor member, but...

I would like to become a member (starting at $495/yr).
I would like to learn more.