Fair Use: Please note that use of the Netcraft Blog is subject to our Fair Use and Copyright policies. For more information, please visit http://news.netcraft.com/fair-use-copyright, or email info@netcraft.com.

  1. False Start for Cyber Security Challenge?

    A cross-site scripting vulnerability has been uncovered on the Cyber Security Challenge UK website, before the site has even been made ready for candidates to register.

    Ironically, the programme has been established by a management consortium of key figures in cyber security, and is designed to identify and nurture the UK's future cyber security workforce.

    The simple coding error was demonstrated a short while ago by James Wheare. It is not clear whether this security vulnerability is part of the challenge, but we suspect not.

    Mr Wheare told Netcraft that he was prompted to look for the hole after reading a friend's tweet, and noticed insufficient encoding in the page's <title> and <h2> tags.

    Users of the Netcraft Toolbar are protected against cross-site scripting (XSS) attacks like these, which could otherwise be used to launch cross-site request forgery (CSRF) attacks, modify the content of pages on the Cyber Security Challenge website, or steal session identifiers from victims.

    challengefail.png

    Netcraft also provides a comprehensive range of internet security services which identify vulnerabilities such as cross-site scripting in web applications. Netcraft has informed Cyber Security Challenge UK about the vulnerability.

    Posted by Paul Mutton on 30th April, 2010 in Security Share/Bookmark

  2. April 2010 Web Server Survey

    In the April 2010 survey we received responses from 205,368,103 sites — a slight fall in the number of sites found.

    Three of the five major web servers lost hostnames compared to last month. The two servers to gain sites in the April survey are Microsoft, with over half a million more sites than in March, and nginx with just over 300k new sites. For nginx this reverses the trend of the last three months, when it lost sites due to stale WordPress blogs being expired from the survey.

    The survey results this month also show how Chile's internet infrastructure has been affected by the earthquakes which hit the country at the end of February and beginning of March. The two major earthquakes had magnitudes of 8.8 and 6.9 respectively and it is estimated that they took out up to 60% of networks. Despite the scale of the disaster, the number of hostnames seen in Chile this month fell by only 12%.

    Total Sites Across All Domains
    August 1995 - April 2010

    Total Sites Across All Domains, August 1995 - April 2010


    Market Share for Top Servers Across All Domains
    August 1995 - April 2010

    Graph of market share for top servers across all domains, August 1995 - April 2010


    DeveloperMarch 2010PercentApril 2010PercentChange
    Apache112,747,16654.55%110,752,85453.93%-0.62
    Microsoft50,572,54024.47%51,284,57024.97%0.50
    Google14,592,1337.06%13,749,8296.70%-0.37
    nginx12,673,9626.13%12,977,4866.32%0.19
    lighttpd1,657,5840.80%1,078,4030.53%-0.28
    (more...)

    Posted by Netcraft on 15th April, 2010 in Web Server Survey Share/Bookmark

  3. Windows users vulnerable to flaw in Java Web Start

    An unresolved security flaw in Java Web Start could be putting millions of Windows users at risk. The bug – discovered by Tavis Ormandy – allows arbitrary options to be passed to the Java virtual machine via the javaws command line application. This gives an attacker the opportunity to execute malign JAR files on the victim's computer.

    Tavis informed Sun (now owned by Oracle) about this problem, but states they did not consider the vulnerability to be important enough to break their quarterly patch cycle. Given how easily the flaw was discovered, Tavis disagreed and published his advice to temporarily disable the affected control until it gets fixed.

    All versions since Java SE 6 Update 10 for Windows are believed to be vulnerable. Working exploits for this vulnerability are now in the public domain, so it is important to apply one of the workarounds suggested by Tavis:

    • Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA.
    • Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.

    Full details can be found in Ormandy's post to the Full Disclosure mailing list.

    Netcraft's Web Server Survey shows that Java Web Start is very seldom used by websites, so there is perhaps little to be lost by disabling JNLP support completely. Only 0.002% of the active sites in the April 2010 survey used JNLP technology on their homepages, whereas 0.26% of homepages contained traditional Java Applets.

    Although Java usage is growing amongst mobile devices, and continues to remain strong as a server-side technology, it appears to have lost the battle for interactive client-side desktop browser technology. The combined share of JNLP and Applets pales into insignificance when compared with Adobe Flash, which is now found on more than 15% of all homepages.

    Posted by Paul Mutton on 13th April, 2010 in Security Share/Bookmark

  4. Most Reliable Hosting Company Sites in March 2010

    Rank Company site OS Outage
    hh:mm:ss    		 Failed
    Req%    		 DNS Connect First
    byte    		 Total
    1 www.memset.com Linux 0:00:00 0.012 0.586 0.129 0.260 0.260
    2 DataPipe FreeBSD 0:00:00 0.016 0.065 0.027 0.056 0.083
    3 iWeb Technologies Linux 0:00:00 0.016 0.134 0.083 0.165 0.165
    4 ReliableServers.com FreeBSD 0:00:00 0.016 0.250 0.083 0.197 0.337
    5 INetU unknown 0:00:00 0.021 0.702 0.073 0.158 0.301
    6 Swishmail FreeBSD 0:00:00 0.021 0.159 0.086 0.173 0.438
    7 www.singlehop.com Linux 0:00:00 0.021 0.258 0.104 0.429 0.962
    8 Hosting 4 Less Linux 0:00:00 0.025 0.116 0.091 0.186 0.474
    9 Kattare Internet Services Linux 0:00:00 0.029 0.153 0.093 0.187 0.443
    10 www.dinahosting.com Linux 0:00:00 0.029 0.121 0.130 0.258 0.258

    See full table

    Memset had the most reliable hosting company site in March, responding to all but three of Netcraft's requests.

    Memset provides dedicated physical and virtual servers, all-inclusive managed hosting and cloud-computing services from their two data centres near Reading, UK. Memset uses Apache on Linux to run their own website.

    The second most reliable hosting company site in March was DataPipe, responding to all but four of Netcraft's requests.

    DataPipe provides custom managed hosting solutions for businesses with complex Internet facing infrastructures with over 1,000 customers in seven data centres across the United States, Europe and China. DataPipe use Apache on FreeBSD to run their own website.

    Six of the top ten in March were identified as running Linux and three as running FreeBSD. The operating system used by one of the top ten could not be identified.

    Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

    From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

    Further information on the measurement process and current measurements are available.

    Posted by Jennifer Cownie on 1st April, 2010 in Performance Share/Bookmark