Millions still running the risk with Windows Server 2003

More than 600,000 web-facing computers — which host millions of websites — are still running Windows Server 2003, despite it no longer being supported.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.

The number of web-facing computers running Windows Server 2003 has been on a gradual decline since its peak usage in 2011, but many servers are still using it. Mainstream support for Windows Server 2003 ended in July 2010.

Extended support for Windows Server 2003 ended on July 14, 2015. Crucially, this means that Microsoft will no longer be issuing security updates for any version of Windows Server 2003. US-CERT warns that these unsupported installations of Windows Server 2003 are exposed to an elevated risk of cybersecurity dangers, such as malicious attacks or electronic data loss.

Windows Server 2003 was originally launched over 12 years ago, with the latest major update being released 8 years ago in the form of Service Pack 2. This update was particularly beneficial for web servers, as it added the Scalable Networking Pack (SNP), which allowed for hardware acceleration of network packet processing.

Fifth of the internet still running Windows Server 2003

Netcraft's July 2015 Web Server Survey found 175 million websites that are served directly from Windows Server 2003 computers. These account for more than a fifth of all websites in the survey, making the potential attack surface huge.

Most of these sites (73%) are served by Microsoft Internet Information Services 6.0, which is the version of IIS that shipped with Windows Server 2003 and the 64-bit edition of Windows XP Professional; however, it is rare to see the latter being used as a web server platform.

The remaining Windows Server 2003-powered sites use a variety of web server software, with GSHD 3.0, Safedog 4.0.0, Apache 2.2.8 (Win32), kangle 3.4.8, NetBox Version 2.8 Build 4128 and nginx/1.0.13-win32 being amongst the most commonly seen Server headers. While vulnerabilities in these software products can be addressed by applying patches or updates, future vulnerabilities in the underlying Windows Server 2003 operating system may never be fixed.

14 million of the sites did not send a Server header at all, so it was not apparent whether the web server software used by these sites could be updated, but the underlying computers could still be identified as running Windows Server 2003. Netcraft determines the operating system of a remote web server by analysing the low-level TCP/IP characteristics of response packets, and so it is independent of whichever server software the site claims to be running.

Backend servers might also be exploitable

In addition to the 175 million websites that are served directly from Windows Server 2003 computers, a further 1.7 million sites served from other operating systems sent the Microsoft-IIS/6.0 Server header. This indicates the presence of backend Windows Server 2003 machines behind load balances and similar devices that are not running Windows.

For example, if the TCP/IP characteristics of a web server's response indicate that it is running Linux, but the HTTP Server header reports it is using Microsoft-IIS/6.0, then the Linux machine is likely to be acting as a reverse proxy to a Windows Server 2003 machine running IIS 6.0. Although the Windows Server 2003 machine is not directly exposed to the internet, it may still be possible for a remote attacker to exploit certain Windows and IIS vulnerabilities.

How many Windows Server 2003 installations are exposed to the web?

Netcraft has developed a technique for identifying the number of unique computers that act as web servers on the internet. The 175 million sites that use Windows Server 2003 make use of 1.6 million distinct IP addresses. However, an individual computer running Windows Server 2003 may have multiple IP addresses, which makes this an unsuitable metric for determining how many installations there are.

Further analysis of the low-level TCP/IP characteristics reveals a total of 609,000 web-facing computers running Windows Server 2003. This is over 10% of all web-facing computers, and shows the true potential cost of migration, as software licensing is typically charged on a per-machine rather than per-IP address basis.

Who's still using Windows Server 2003?

China and the United States account for 55% of the world's Windows Server 2003 computers (169,000 in China and 166,000 in the US), yet only 43% of all other web facing computers.

Within China, more than 24,000 of these computers are hosted by Alibaba Group. Nearly half of these are hosted by HiChina, which was acquired by Alibaba in 2009, while 7,500 are hosted at its rapidly growing cloud hosting unit, Aliyun.

Aliyun still allows its customers to create Windows Server 2003 virtual machines.

Aliyun still allows its customers to create Windows Server 2003 virtual machines.

One of the most prominent companies still using Windows Server 2003 on the internet is LivePerson, which is best known for the live chat software that allows its customers to talk to their visitors in realtime. Its main site at www.liveperson.com uses Microsoft IIS 6.0 on Windows Server 2003, and several other sites related to its live chat functionality — such as sales.liveperson.net — also appear to use IIS 6.0 on Server 2003, but are served via F5 BIG IP web-facing devices.

Even some banks are still using Windows Server 2003 and IIS 6.0 on their main sites, with the most popular ones including Natwest, ANZ, and Grupo Bancolombia. These sites rank amongst the top 10,000 in the world, and hundreds of other banking sites also appear to be using Windows Server 2003.

ING Direct and Caisse d'Epargne are also using IIS 6.0, but these sites appear to be served through F5 BIG-IP or similar devices, rather than having Windows Server 2003 machines exposed directly to the internet. Even some security and antivirus software vendors are still running IIS 6.0 on public-facing sites, including Panda Security and eScan.

While Microsoft does not officially offer any support beyond the extended support period ("Once a product transitions out of support, no further support will be provided for the product"), reports suggest that some companies who have not migrated in time have arranged to pay millions of dollars for custom support deals.

PCI compliance: Automatic failure

Companies still using unsupported operating systems like Windows Server 2003 in a cardholder data environment should migrate immediately. All organisations and merchants who accept, transmit or store cardholder data must maintain a secure PCI compliant environment.

The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements designed to protect cardholder data and sensitive authentication data. PCI DSS Requirement 6.2 requires all system components and software to be protected from known vulnerabilities by installing vendor-supplied security patches. This will not be possible with Windows Server 2003, as no more security updates will be made available by Microsoft.

Additionally, merchants and service providers who handle a large enough volume of cardholder data must have quarterly security scans by a PCI SSC Approved Scanning Vendor (such as Netcraft) in order to maintain compliance. ASVs are required to record an automatic failure if the merchant's cardholder data environment uses an operating system that is no longer supported.

In some cases, the PCI SSC can allow for risks to be mitigated through the implementation of suitable compensating controls, but these are unlikely to be sufficient for an unsupported web-facing operating system – especially one which will become less secure as time goes by, as new vulnerabilities are discovered.

Consequently, many merchants still using Windows Server 2003 is likely to be noncompliant, and could face fines, increased transaction fees, reputational damage, or other potentially disastrous penalties such as cancelled accounts.

Microsoft advises that any datacenter still using Windows Server 2003 needs to protect its infrastructure by planning and executing a migration strategy. Some possible options suggested by Microsoft include switching to Windows Server 2012 R2, Microsoft Azure or Office 365. To help customers migrate, Microsoft has provided an interactive Windows Server 2003 Migration Planning Assistant, which, incidentally, is hosted on Microsoft Azure.

Finding out more

Netcraft's techniques provide an independent view with a consistent methodology on the number of web-facing computers at each hosting location worldwide. For more information, see our Hosting Provider Server Count, or contact us at sales@netcraft.com for bespoke datasets.

For more information about Netcraft's Automated Vulnerability Scanning for PCI Compliance, please contact us at security-sales@netcraft.com.

Counting SSL certificates

The SSL/TLS protocol — used to protect sensitive communication across the internet — combines encryption with authentication, providing a private connection to the intended recipient. To achieve this, SSL certificates bind together a cryptographic key and a domain name, and are digitally-signed by a trusted certificate authority (CA). Commercial CAs compete to sell certificates to the general public and account for the bulk of the SSL certificates seen on the internet.

Netcraft's SSL Server Survey has been running since 1996 and has tracked the evolution of this marketplace from its inception — there are now more than one thousand times more certificates on the web now than in 1996. As CAs issue certificates, and most charge (or not charge) accordingly, the number of certificates issued becomes the natural unit of measurement. Our survey therefore counts valid, trusted SSL certificates used on public-facing web servers, counting each certificate once, even if used on multiple websites.

certs

Two types of certificates make the distinction between counting sites and certificates most apparent: multi-domain certificates and wildcard certificates. These two types now account for almost a quarter of all certificates found.

  • Multi-domain certificates (or UCC certificates) use the Subject Alternative Name extension to specify additional hostnames for which this certificate is valid — CloudFlare uses this technique heavily, having dozens of unrelated sites share the same certificate.
  • Wildcard certificates are valid for all possible subdomains of a domain, for example *.netcraft.com would be valid for www.netcraft.com, host-a.netcraft.com, host-b.netcraft.com, etc. Our methodology counts a wildcard certificate once, no matter the number of sites for which it is valid.

Netcraft also counts certificates used by subdomains. For example, if foo.example.com, bar.example.com and baz.example.com are all using different SSL certificates, Netcraft will count all three certificates that have been issued.

Although the global SSL ecosystem is competitive, it is dominated by a handful of major CAs — three certificate authorities (Symantec, Comodo and GoDaddy) account for three-quarters of all issued SSL certificates on public-facing web servers. The top spot has been held by Symantec (or VeriSign before it was purchased by Symantec) ever since the survey began, with it currently accounting for just under a third of all certificates. To illustrate the effect of differing methodologies, amongst the million busiest sites Symantec issued 44% of the valid, trusted certificates in use — significantly more than its overall market share.

However, nothing ever stays still forever — Let's Encrypt could shake up the market for SSL certificates later on this year by offering free certificates with a simplified installation process. Whilst free certificates and automated tools are nothing new, the open approach and the backing of Mozilla, IdenTrust, the EFF, and Akamai could change the SSL ecosystem forever.

Beyond counting certificate numbers, Netcraft's SSL Survey also tracks the list and reseller prices of the most popular certificate authorities. This provides another useful market share metric, as it allows us to estimate the total monthly and annual revenue of each certificate authority attributable to public SSL issuance.

As each type of certificate — multi-domain, wildcard, or Extended Validation for example — is available at a distinct price point, the estimated revenue of a CA can vary significantly, despite initially appearing similarly sized by the total number of certificates. For example, GlobalSign comes in third-place when considering its estimated annual revenue (by list price) in 2014, despite accounting for approximately 6% of all currently valid publicly-visible SSL certificates.

For additional information or details on how to purchase Netcraft’s SSL Server Survey please contact us at sales@netcraft.com or visit our web site.

Instagram forgets to renew its SSL certificate

Instagram's SSL certificate expired at midday GMT on Thursday 30th April 2015 and was not replaced for more than an hour, leaving visitors unable to access the site without seeing browser warnings.

Browser warnings caused by Instagram's expired SSL certificate.

Browser warnings caused by Instagram's expired SSL certificate.

The expired DigiCert-issued certificate that was being served from https://instagram.com/ has now been replaced with a different certificate, valid until 15th October 2015.

Users who ignore the warnings from their browser could be at risk of man-in-the-middle attacks, where a correctly-positioned attacker can surreptitiously steal usernames, passwords and session cookies without the victim's knowledge.

Although the HTTP version of the site redirects to HTTPS, instagram.com does not currently make use of HTTP Strict Transport Security — an HTTP header that permits a site to specify that future visits must be over HTTPS. As a result, customers can bypass the warning message, placing them at risk of man-in-the-middle attacks.

If HSTS had been in use, visitors would correctly not be able to bypass the error message, protecting them from man-in-the-middle attacks, but leaving them without the ability to connect to instagram.com. As HSTS does not protect the user on their first visit, website owners can request to have their HSTS rules embedded into the browser via Chrome's preload list.

instagram-cert-error

The SSL error message in Google Chrome can be bypassed for instagram.com (which does not use HSTS).

paypal-cert-error

In simulating an attack on www.paypal.com (which does use HSTS), Chrome's SSL error message cannot be bypassed.

instagram.com is the 310th most popular website amongst users of the Netcraft Toolbar. The Instagram app does not appear to be affected, as it makes use of a different server at i.instagram.com, which uses a valid certificate.

The SSL certificate used by instragram.com expired at midday UTC

The SSL certificate used by instagram.com expired at midday UTC

Hostinger hosts over 90% of all Steam phishing sites

Netcraft blocked more than 1,400 Steam phishing URLs last month, spread across 331 different websites. Surprisingly, more than 90% of these sites were hosted by just one company: Hostinger.

With more than 125 million active accounts, Steam continues to make an attractive target for fraudsters. The number of phishing attacks targeting Steam rose significantly last month, even though the fraudsters behind these attacks have had to change their tactics a few times. Last year, a popular ruse was to use Steam's own chat client to trick victims into visiting look-alike domain names similar to the genuine steamcommunity.com. This modus operandi continued into 2015, but became less effective after Steam started to remove suspicious links from chat messages.

Consequently, many Steam phishers have abandoned the idea of registering their own look-alike domains (only two were blocked last month), and are instead using subdomains provided by free hosting services such as Hostinger. These allow the fraudsters to host Steam phishing sites with addresses like steamcommuniity.hol.es, steampoweredssuport.esy.es and steamcomcoomity.16mb.com – not quite as convincing as the hostnames used in previous attacks, although the deliberate misspellings are similar.

A Steam phishing site hosted at steamcomcoomity.16mb.com

A Steam phishing site hosted by Hostinger at steamcomcoomity.16mb.com

Lithuania-based Hostinger provides many different second-level domains under which its customers can host a website, and the most common ones used in these attacks were esy.es, besaba.com, 16mb.com, wc.lt, hol.es and pe.hu.

Hostinger displays this content on each of its free hosting  domains. Hostinger covers its costs by offering paid upgrades for those who need  more resources.

Hostinger displays this content on each of its free hosting domains. Hostinger covers its costs by offering paid upgrades for those who need more resources.

Free hosting providers are an obvious choice for fraudsters who wish to carry out phishing attacks without leaving a financial trail. Hostinger's offerings look particularly conducive for phishing, as they do not display ads on their customers' sites, and they provide support for PHP (nearly all phishing kits are written in PHP).

Nonetheless, the incredible popularity of Hostinger within the Steam phishing arena is rather unusual. While Hostinger was used to host over 90% of all Steam phishing URLs, it hosted only 0.6% of all other phishing attacks that were blocked during March.

This preference of using Hostinger could suggest that the fraudsters behind most of these Steam phishing attacks are working together or copying each others' methodologies. In addition, there are examples of phishing sites that have remained up for long periods of time, which makes it an attractive hosting location for phishers. The hostname steamcomcoomity.16mb.com (shown in the earlier screenshot) has been serving a Steam phishing site from Hostinger's infrastructure since last year and is still serving it at the time of writing.

Netcraft provides a Phishing Alerts service for hosting providers and domain registrars who are unwittingly providing facilities for phishing. Brand owners can also use Netcraft's Takedown service to identify phishing attacks against them and get fraudulent sites shut down.

Google’s April Fool’s prank inadvertently broke their security

As part of its traditional series of April Fool's day jokes, Google used its own .google gTLD to launch a backwards version of its home page from the domain com.google on 1st April.

However, this year's joke inadvertently undermined an important security feature on Google's real homepage, which made it vulnerable to user interface redressing attacks such as click-jacking. This vulnerability would have allowed a remote attacker to change a user's search settings, including turning off SafeSearch filters.

The backwards content displayed on com.google

The backwards content displayed on com.google on 1 April 2015

The issue stemmed from the way com.google used an iframe to display backwards content from google.com. This would not normally be possible, as google.com uses the X-Frame-Options HTTP response header to prevent other websites from displaying itself within an iframe. But for the purpose of the April Fool's joke, Google stepped around this problem by passing the parameter "igu=2" to google.com, which not only told it to display the content backwards, but also instructed the server to omit the X-Frame-Options header entirely.

com.google uses an iframe to display a backwards search page from google.com. Also not the reversed text in the HTML comment, revealing that it is an April Fool's day joke.

com.google used an iframe to display a backwards search page from google.com. Also note the reversed text in the HTML comment.

A remote attacker could also have leveraged this "feature" to display the Google Search Settings page in an iframe on an external domain, and trick his victims into unwittingly changing those settings. A carefully constructed clickjacking attack could have gone unnoticed by each victim until it was too late and the settings had already been changed.

To highlight the different responses, the following was an ordinary response from Google's Search Settings page at https://www.google.com/preferences?hl=en&fg=1. Note the presence of the X-Frame-Options header:

HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private
Content-Encoding: gzip
Content-Length: 35486
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 Apr 2015 09:54:14 GMT
Expires: Wed, 01 Apr 2015 09:54:14 GMT
Server: gws
Set-Cookie: [redacted]
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15

Conversely, with the igu=2 parameter appended, the X-Frame-Options header was omitted from the response, allowing the page to be displayed in a frame on an attacker's own website:

HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private
Content-Encoding: gzip
Content-Length: 33936
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 Apr 2015 09:58:30 GMT
Expires: Wed, 01 Apr 2015 09:58:30 GMT
Server: gws
Set-Cookie: [redacted]
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15
Google's Search Settings being successfully displayed within an iframe on a Netcraft domain

Google's Search Settings being successfully displayed within an iframe on a Netcraft domain on 1 April 2015 (this content is not served backwards).

Changes made to the above settings via the iframe would persist across the user's session when they subsequently used google.com in a normal window. Netcraft reported this issue to Google and it has since been resolved — the method described in this article can no longer be used to display the settings page within an iframe on an external domain.

Critical Windows vulnerability affects at least 70 million websites

The race is on to patch nearly a million Windows web servers, following the publication of code that can identify the presence of a serious vulnerability announced by Microsoft on Tuesday.

The critical vulnerability lies within Microsoft's HTTP protocol stack, known as HTTP.sys. The maximum security impact, according to Microsoft Security Bulletin MS15-034, is remote code execution — by sending a specially crafted HTTP request to a vulnerable server, a remote attacker can execute arbitrary code on that server.

An ongoing scan for this vulnerability suggests that the test performed by the published code is inconclusive, as it might erroneously give the all-clear to a server that returns non-static content, even if it is in fact vulnerable.

However, Netcraft's latest Web Server Survey shows more than 70 million websites could be vulnerable, including Microsoft IIS servers that sit behind non-Windows load balancers. The total number of servers involved in hosting these sites stands at around 900,000, which is more than a sixth of all web-facing computers in the world.

The affected versions of Windows includes Windows Server 2008 R2, 2012 and 2012 R2. Windows 7, 8 and 8.1 are also vulnerable, but are not commonly used to host websites. Microsoft's security bulletin does not include Windows Server 2003 in the list of affected versions, so the 130 million sites that run IIS 6.0 on this older operating system would appear to be safe (at least from this particular issue).

Given the swift publication of code that could potentially be developed into a practical exploit, it is essential that all Windows server administrators apply the necessary security updates as a matter of urgency.

Microsoft has already released a security update for this vulnerability, so don't delay, apply today!