Three quarters of Microsoft-IIS sites have WebDAV enabled


On 17th March Microsoft issued a security alert regarding a buffer overflow vulnerability which allows attackers to execute arbitrary code on Windows 2000 machines. The vulnerability is triggered by the Microsoft-IIS/5.0 implementation of the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol and is specific to Microsoft-IIS/5.0 - WebDAV was not supported in Microsoft-IIS/4.0, and Microsoft-IIS/6.0 is reported to be unaffected.

Microsoft-IIS/5.0 runs about 9 million web sites on just over 1 million ip addresses, making it the most widely deployed web server that has WebDAV enabled by default. Many sites disable WebDAV: best practice dictates that features that are not used should be disabled, and the IIS Lockdown tool recommended by Microsoft can disable WebDAV. However, although the number of sites that have disabled WebDAV is significant, our own data indicates that around three quarters of Microsoft-IIS/5.0 servers have WebDAV enabled, implying that at the time of announcement there were over 6 million vulnerable web sites.

The actual vulnerability occurs in a system DLL called by the WebDAV component, not in the WebDAV support itself. There may be ways to exploit this vulnerability via other components, or even other products. There is believed to be an exploit already in the wild for this vulnerability, and Windows 2000 administrators should apply the patch as soon as possible. CERT have issued an advisory (CA-2003-09), and Microsoft have issued a patch (see bulletin MS03-007).

The patch requires a reboot to become effective, and we have noticed that over half of the Microsoft-IIS/5.0 servers on the internet were rebooted during a two day period after the annoucement. The number of sites rebooting sets a lower bound on the uptake of the patch [a reboot is necessary as part of the patch installation] but will overstate the number of patched systems, as some sites will have rebooted for other reasons.

February 2003 Web Server Survey

In the February 2003 survey we received responses from 35,863,952 sites.

Market Share for Top Servers Across All Domains August 1995 - February 2003

Graph of market share for top servers across all domains, August 1995 - February 2003

Top Developers

Developer January 2003 PercentFebruary 2003 Percent Change
Continue reading

Apache on Windows Struggling?


One of the goals of Apache/2.0 was to better support operating systems other than Unix. While the Windows version of Apache/1.3 was advertised as experimental, it was hoped that in Apache/2.0 it would become much more widely established. However, since the first general release of Apache/2.0 there have been a string of security problems in the Windows (and other non-Unix) versions that may undermine confidence in the suitability of Apache for these platforms.

Windows Apache entries listed at's common vulnerabilities database include directory traversal using dot-dot paths, revealing script source by appending invalid characters, and DOS device names causing a denial-of-service. The striking thing is that these are sterotypical vulnerabilities that over the years many other products have suffered from, and fixed. Apache developers will be disappointed that they were not able to learn from other people's mistakes sufficiently well to pre-empt the same vulnerabilities appearing in their own server.

In the current month's survey we find over 16,000 Apache Win32 sites on the 'Web which may be vulnerable to one of these problems.

Notwithstanding the security problems, the support for threading in Apache/2.0 is a major performance breakthrough for the Windows version and consquently sites using Apache on Windows have a bigger incentive to upgrade to version 2 than sites on Unix. This is reflected in the relative uptake of Apache/2.0: a little over 1% of all Apache sites are running version 2, but amongst Windows servers the proportion is over 7%.

World’s second largest vendor of Windows machines chooses NT4 for Web Site

What reason might Dell give for running on NT4?
  • When we say "Upgrade!" you must do what we say, not do what we do
  • We're still waiting for our order to be delivered
  • It's not broke, and we dont need to fix it.
  • We're less of a target for attackers. There's no kudos in hacking anything more than 5 years old.
  • We've been evaluating Linux, and have not yet reached a decision.
  • It's just the front end machines. Everything else has been running Windows 2003 for months. Honest!
  • The cobblers children didnt have shoes, either.
  • That site doesnt see a lot of traffic. It just redirects to
  • If you think that running NT4 doesnt do a lot for our product advocacy, then you haven't seen what our evil competitor runs

Mandrake falls into Administration

This week Mandrake became the first major Linux distribution to fall into administration. The survey finds around 88,000 sites running Mandrake, and the distribution also enjoys a reasonable following on the desktop.

The increasing availability and falling costs of high bandwidth connections have posed a question to the continuing relevance of the Linux distribution industry. In 1995 only the very determined would have downloaded the Linux operating system over a 28.8K connection rather than pay for a CD, but equiped with a cable or DSL connection, the CD becomes much more optional.

Mandrake compounded this scenario by some commercially curious behaviour, making freely downloadable images of each new release available over the internet well before their CD editions were available. Mandrake's approach was popular but seemed to actively encourage people to download the new releases rather than buy CDs. More opportunistic companies have been able to sell CDs of new Mandrake releases for weeks before Mandrake's own boxed sets became available.