One of the goals of Apache/2.0 was to better support operating systems other than Unix. While the Windows version of Apache/1.3 was advertised as experimental, it was hoped that in Apache/2.0 it would become much more widely established. However, since the first general release of Apache/2.0 there have been a string of security problems in the Windows (and other non-Unix) versions that may undermine confidence in the suitability of Apache for these platforms.
Windows Apache entries listed at mitre.org's common vulnerabilities database include directory traversal using dot-dot paths, revealing script source by appending invalid characters, and DOS device names causing a denial-of-service. The striking thing is that these are sterotypical vulnerabilities that over the years many other products have suffered from, and fixed. Apache developers will be disappointed that they were not able to learn from other people's mistakes sufficiently well to pre-empt the same vulnerabilities appearing in their own server.
In the current month's survey we find over 16,000 Apache Win32 sites on the 'Web which may be vulnerable to one of these problems.
Notwithstanding the security problems, the support for threading in Apache/2.0 is a major performance breakthrough for the Windows version and consquently sites using Apache on Windows have a bigger incentive to upgrade to version 2 than sites on Unix. This is reflected in the relative uptake of Apache/2.0: a little over 1% of all Apache sites are running version 2, but amongst Windows servers the proportion is over 7%.
Last month we pointed out a Windows 2000 site that had gone over two years without a reboot.
Unfortunately, www.byteandswitch.com's proud run came to an end coinciding with the SQL-Slammer worm at the end of January.
What reason might Dell give for running
www.dell.co.uk on NT4?
- When we say "Upgrade!" you must do what we say, not do what we do
- We're still waiting for our order to be delivered
- It's not broke, and we dont need to fix it.
- We're less of a target for attackers. There's no kudos in hacking anything more than 5 years old.
- We've been evaluating Linux, and have not yet reached a decision.
- It's just the front end machines. Everything else has been running Windows 2003 for months. Honest!
- The cobblers children didnt have shoes, either.
- That site doesnt see a lot of traffic. It just redirects to www.euro.dell.com
- If you think that running NT4 doesnt do a lot for our product advocacy, then you haven't seen what our evil competitor runs
This week Mandrake became the first major Linux distribution to fall into administration.
The survey finds around 88,000 sites running Mandrake, and the distribution also enjoys a reasonable following on the desktop.
The increasing availability and falling costs of high bandwidth connections
have posed a question to the continuing relevance of the Linux distribution
In 1995 only the very determined would have downloaded the Linux operating system over a 28.8K connection rather than pay for a CD, but equiped with a cable or DSL connection, the CD becomes much more optional.
Mandrake compounded this scenario by some commercially curious behaviour,
making freely downloadable images of each new release available over the internet
well before their CD editions were available.
Mandrake's approach was
seemed to actively encourage people to download the new releases rather than
opportunistic companies have been
able to sell CDs of new Mandrake
releases for weeks before Mandrake's own boxed sets became available.
Sun launched its Identity
Server this week, which is positioned as the first component of the Liberty
Alliance single sign-on scheme for web site authentication. When the Liberty
Alliance was first announced,
it seemed that its position was hopeless, as Microsoft Passport and AOL SNS
already had their systems implemented and deployed. However, Passport and SNS
have not by any means become pervasive, with this months survey finding fewer
than 100 unique sites using these systems and Liberty now seems to have a
plausible chance to compete with the established systems.
This month is the first time that a Windows 2000 site has appeared in the
50 top sites which have the longest period of time since last
has been running continuously since November 2000. When we first started
graphing web servers uptime in the summer of 2000, many people were skeptical that a Windows
machine would ever make the top 50. Perceptions change, and although two years is
exceptional, several Windows 2000 sites have run for more than a year without a
reboot. In the hosting industry, Microsoft partners Interliant
each have sites that have not been rebooted in over a year, while Microsoft
has also run several of its own sites
for over a year between reboots.