Commentary: Another worm, more patches

With the emergence of Nimda, Gartner believes it is time for businesses to start investigating Web server products that are less vulnerable than Microsoft's.

2 min read
By John Pescatore, Gartner Analyst

With the emergence of the Nimda worm--the latest in a long series to attack Microsoft's Internet Information Server (IIS) and other software--Gartner believes it's time for businesses with Web applications to start investigating less vulnerable Web server products.

See news story:
Nimda dies down; companies recover
The Nimda worm can spread through e-mail, file sharing and Web site downloads.

As a "rollup worm," Nimda bundles several known exploits against Microsoft's IIS, Internet Explorer browser and operating systems such as Windows 2000 and Windows XP, which have IIS and IE embedded in their code. To protect against Nimda, Microsoft recommends installing numerous patches and service packs on virtually every PC and server running IE, IIS Web servers or the Outlook Express e-mail client. As the earlier Code Red worm showed, many servers and PCs running IIS Web server processes may not be obvious because they may be run as personal Web servers on the intranet but are still be exposed to the Internet.

Code Red also showed how easy it is to attack IIS Web servers. Thus, securely using Internet-exposed IIS Web servers has a high cost of ownership. Businesses using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out--almost weekly. However, Nimda has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft's frequent security patches.

Gartner recommends that businesses hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors such as iPlanet and Apache. Although those Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers.

Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten release of ISS that is thoroughly and publicly tested. Sufficient operational testing should follow to ensure that the initial wave of security vulnerabilities every software product experiences has been uncovered and fixed. This move should include any Microsoft .Net Web service that requires the use of IIS. Gartner believes that this rewriting will probably not occur before the end of 2002.

(For related commentary on the Code Red worm, see Gartner.com.)

Entire contents, Copyright © 2001 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.