Netcraft: MDAC Vulnerability Affects Small Number of IIS Servers

Netcraft is trying to correct a misimpression surrounding Microsoft's two-week-old security bulletin involving Microsoft Data Access Components (MDAC).

Netcraft is well known for its monthly updates on the number of Web servers running Apache versus Internet Information Services. A Bloomberg news article about the MDAC vulnerability, a problem Microsoft labeled "critical," noted that Netcraft's figures put about 4 million active IIS servers out there -- making the vulnerability appear quite widespread.

But Netcraft says that in its own security testing business, it finds that the percentage of sites using the affected part of MDAC, the Remote Data Services, is very small.

"Approximately 8 percent of Microsoft-IIS sites tested in 2001 had RDS open to the public; in 2002 this has fallen to around 5 percent," Netcraft notes.

RDS is not enabled by default in IIS 5. RDS was introduced and enabled by default with IIS 4, but Microsoft's security checklists and IIS lockdown tool encourage Web masters to disable it.

"Almost no Microsoft-IIS/5.0 sites we have tested were offering RDS and the proportion of Microsoft-IIS/4.0 sites offering RDS is fairly stable at around one in four," Netcraft officials say. The caveats, according to Netcraft, are that its customer sample is fairly small and that sample is weighted toward IIS 5 customers. "But we think that only a fairly small section of the Microsoft-IIS community is likely to use RDS, and that it is rarely enabled on public sites."

Meanwhile, since October, Microsoft's IIS has enjoyed a slight gain in share among active Web sites, although the open source Apache Web server still dominates the market.

The November Netcraft numbers, released Monday, show IIS gained 0.53 points of share, climbing from 25.06 percent of active sites to 25.59 percent. In raw numbers, IIS sites went from about 4 million sites to nearly 4.25 million sites. Apache, meanwhile, stayed above 10 million active sites and runs nearly 65 percent of active sites, according to Netcraft.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Office 365 Attack Simulator Now Supports Attachments

    The Attack Simulator in Office 365 tool has been updated and now has the ability to include message attachments in targeted campaigns, according to a Friday Microsoft announcement.

  • How To Disable Touch Input in Windows 10

    When the touchscreen on your Windows 10 laptop goes bad, there's no reason to throw that baby out with the bath water.

  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.