- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
February 04, 2007 | Comments: (0)
Why is www.dolphinstadium.com still running Windows 2000 and IIS 5?
Websense reported a few days ago that www.dolphinstadium.com had been hacked.
The popular SuperBowl-related site was hacked to push two client-side exploits to unpatched visiting Windows computers. One of the exploits was patched last month, and one last year. If you're running Microsoft Windows in the default mode, with Automatic Updates (or some other patch mgmt) tool, you should be fine.
But after investigating the web site, I'm wondering why the Miami Dolphin organization is still running Windows 2000 and IIS 5?
While I am pretty confident that the hack against the popular web site did not exploit an unknown Windows 2000 or IIS 5 vulnerability (it was probably an application programming error like most web site exploits), I don't know why the techs, developer, hosts, and management allow a 7-year old OS and web server to be their platform?
Did anyone on the team ask that question recently? If so, were they ignored?
Windows 2000 no longer has mainstream support. It's an old legacy platform.
Windows Server 2003 and IIS 6 have been out since March 2003, almost 4 years now, and both have a stellar protection record.
I wouldn't want anyone running a 7-year old OS or web server application. I don't run OpenBSD 1.0, it's 4.0.
Sadly, if you do a Netcraft or Nikto scan, you'll find more Windows 2000/IIS 5 combinations than Windows Server 2003/IIS 6.
Windows Server 2003 and IIS 6 are more secure and reliable than legacy combinations. Web sites running on legacy platforms are easy to migrate to the newer platform (for most organizations).
It's a no brainer decision.
It's one thing to stay on older platforms under the guise of being stable. It's another to be neglectful.
Of course, in this particular case, the web site was compromised by an application coding bug, or something like that, and not because of Windows 2000 and IIS 5. Still, if you're running the legacy versions of Windows and IIS, it's time to upgrade. Heck, IIS 7 is out now.
Posted by Roger Grimes on February 4, 2007 09:52 AM
RATE THIS ARTICLE:
-
- COMMENTS
TOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
