Microsoft seems to have a habit of writing easily exploitable servers...

First, IIS (Internet Information Server -- MS' web server) is hit by destructive worms such as Code Red and Nimda... in the process of spreading to other computers, the worms hammer any web server in the IP range they're scanning, vulnerable or not.  This results in 4.5MB error log on my apache server, as it sees the exploitive URL request, and not being vulnerable, simply returns a 404 and logs the error, the idea being that if that were a valid page request by a user, the admin would look into it and perhaps fix a broken link.  However, any valid 404 errors that are being generated on my server are lost in the sea of repeated requests for "/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir", rendering the log files almost entirely useless.  to make matters worse, each infected server smacks me about 15 times in 3 seconds, and repeats the attack about once an hour.   Now take into account that i get about 4 infected servers a day hammering me.  got denial-of-service?

The thing that pisses me off most about this is that there are users out there with enough technical knowhow to run a web server, yet they can't keep the goddamn thing patched.  Code Red and Nimda are months old.  Actually I think Nimda is over a year old.  These virii should be dead now, except maybe in a few third-world countries where 486's are hot stuff.  However, I still blame Microsoft for not adequately educating their customers on protecting themselves from attack.  Instead, they just silently release a patch and hope it all goes away.

Now a vulnerability has been discovered in Microsoft's SQL server that is resulting in the spread of an exceedingly virulent worm.  This worm is spreading so fast and attempting to replicate so often that it is actually bogging down major internet backbones.  Loading the pages on these forums is taking me about 10 seconds per page, and sometimes requires me reloading a few times to even establish a connection.

Before any of you go scolding me, saying "Microsoft products are only attacked so often because they are the most common... i.e. more linux viruses would be running loose if more people used linux", Netcraft periodically surveys a large portion of web servers across the internet.  Apache holds over 60% of the market, with Microsoft a distant second at about 25%.  That's a big fscking gap.  Yet you never hear about Apache worms, do you?  That's because 1) Apache beta-tests their product first, and consequently httpd (the server itself) is more secure, 2) Apache is open-source, so developers world-wide can look at the code and see any potential holes for exploits.  Then, a hotfix can be built and released in minutes, 3) Apache administrators, including myself, are in general more responsible than IIS administrators, and when a hotfix or new version of the server is released, most of the servers are updated within a week.

Why can't Microsoft at least come close to this standard of product integrity?  Personally, I think it's because they're more concerned with short-term objectives, such as pleasing investors and making money.  Therefore they release products before they've been fully hammered on and all the wrinkles ironed out.  Then, when a problem occurs, they like to release a pay upgrade to fix the problem, which brings in more money, while people who might normally install a free fix won't pay for the upgrade and instead stay with a vulnerable system.  Also, Microsoft products lend themselves to a "set-and-forget" mentality with the administrators, so once a product is installed, it may be used for a year or more before it's upgraded, especially with government organizations.  I know when I worked for the Employment Development Department, our department's web server was running on NT 4.0 SP3 with IIS 3.0 well after Windows 2000/IIS 5.0 was released.  Personally, I check Apache's site at least once a month for updates, and once one is found, if it addresses any security issues or provides functionality i'm interested in, I download and install it.

Yup, that's right, I'm running Apache 1.3.27 (Apache 2.x is still considered beta and 1.x is still under development therefore I go with the more stable 1.x series), and have been running Apache 1.3.27 since about a week after it came out.  I'm also running PHP version 4.3.0, and again, installed it within a week of it's release.  Right now about the only insecure thing I'm doing is using PHP in executable mode rather than as an Apache module, and there have been no CERT advisories detailing vulnerabilities with the executable mode yet... it's just that theoretically if someone could access php.exe directly, they could execute any arbitrary PHP code, which is about as powerful as the DOS prompt.

you don't play with their server stuff much, then, do you?

sure it's nice and easy to use, point-and-click this, setup-wizard that.

but imho, they spent too much time making their server applications look pretty, and not enough time on stability and/or security.  it is possible to make a secure, stable, and easy-to-configure server, it's just not as pretty.  Apache is a fine example of this.  Yes, the .conf files themselves are daunting when opened in notepad, however, there are a variety of Apache configuration frontends that nicely convert all the options into GUI elements, thereby making the configuration a snap even for first-timers, while not sacrificing stability or security.

the desktop application market and server application market are two completely different animals.  yes, windows and other microsoft applications dominate the desktop.  and with good reason... for 90% of the users out there, it does everything they want it to in an easy-to-use intuitive interface.  hell, lee has even called XP's default theme a "fisher-price interface".  however, microsoft does not understand the meaning of security, and while this has implications on the desktop market as well, the server market tends to scrutinize this much closer, hence why IIS trails Apache by nearly 40% in server market share.

unfortunately though, microsoft's apparent lack of concern for security impacts the desktop market in a big way, just not as noticeably.  remember "Universal Plug'n'Play"?  The service that was supposed to revolutionize "smart" home appliances, enabling them to communicate to/from your computer?  Well microsoft turned it on by default, and then it turned out to be nothing but a huge security hole in Windows XP.

       :ph34r:

ya, Apache is a web server, and PHP (PHP: Hypertext Preprocessor -- a recursive acronym) is a scripting language.  SQL stands for "Structured Query Language", and describes a standard protocol for a database server.  however, many vendors have released their own implementations of SQL, such as MS SQL, MySQL, mSQL, and PostgresSQL, each with their own proprietary additions that provide extra functionality, but are not compatible with other SQL servers.  the recent attack that has clogged many internet backbones uses an exploit in MS SQL, and is what started my rant in the first place.  the worm takes advantage of a vulnerability found only on MS SQL servers.

Lilazzkicker: for $4 (to cover cost of CDs and shipping) i could send you a copy of Slackware Linux 8.2 with the extras discs.  if you wanted another distro of linux, i could download and burn it for you for an extra buck or two.

M$ was ghey enough to show up and presend WINDOWS at LINUX WORLD. Omg, M$ needs to get a life.

Was that an attempt to make people feel like Trekkies for putting M$? Because if so, I've been missing out...

Anyways, I use Windows 2000 Pro on all of my computers, which is probably the most stable Microsoft OS there is. I actually used to use Linux for my LAN server when I was on dial-up, sadly though my satellite's software doesn't support it