Web server holes - the big lesson for users

The all too familiar sight of journalists writing stories about major security holes in web server software was to be seen again in the silicon.com newsroom this morning.

Microsoft's web server had a disastrous time last year, being responsible for the successful spreading of both the Nimda and Code Red viruses. You'd be right in thinking the last thing the software giant needs now is another security scare.

In 2001 the situation was even so bad that Gartner Group analysts recommended firms abandon the Microsoft web server product. Only today a BT site running IIS was brought down by malicious hackers. (http://www.silicon.com/a54008 )

However, IIS was not the acronym to be springing from the fingers of silicon.com reporters - Microsoft's Internet Information Server was not at fault.

No. According to the widely respected security body Cert, the open source software Apache now has the problem.

By far the most popular web server in the world, Apache runs nearly two thirds of websites. IIS runs just 25 per cent. So, theoretically, a problem with Apache is far more serious. There are very few companies in the world which don't have a couple of Apache boxes somewhere hosting a few web pages, even if large enterprises are typically keener to standardise on the proprietary kit.

There is a bigger issue here too, concerning the reliability of open source software. Open source is seen by many as safer, because of the large developer community which reviews the software and is always on hand to patch flaws.

However, there is no inherent reason, despite guru Eric Raymond's claims, that open source software will always be safer, especially when the security of systems relies on the goodwill of volunteers.

One can imagine a wry smile at the offices of Microsoft this morning when it became clear not all of the patches for the different versions of Apache were ready when the CERT warning came out, because of the fragmentation of the open source software between vendors. This is something Microsoft has long warned against.

This is also not to say open source is not secure - rather, no software is inherently secure. Be vigilant - whatever you use - and remember the most popular software will always be the biggest target.