Survey says e-commerce servers still vulnerable

Virus activity may have declined so far this year, but a new study has found that Internet servers are being left worryingly vulnerable to a series of newly discovered bugs.

According to a survey by UK research firm Netcraft, published on Tuesday, system administrators have been upgrading their Web servers to fix new vulnerabilities, but have been slower about servers used for e-commerce and encryption.

The survey found that almost half of the 22 million monitored sites using Apache software for serving Web pages had been upgraded to version 1.3.26, which fixes a recently publicised vulnerability. But only one quarter of Apache sites using Secure Socket Layer (SSL), which creates the encrypted communications channel typically used for e-commerce, have been updated to this version.

The situation should cause concern, Netcraft said, in light of the discovery of several vulnerabilities in OpenSSL, which can allow an attacker to execute code on a server. "Most sites using Apache for encrypted transactions and e-commerce will be vulnerable to the attack," said Netcraft director Mike Prettejohn in a statement.

Last month, a series of bugs in Microsoft Internet Information Server, Microsoft Commerce Server and Apache led Prettejohn to remark that the Web was more open to attack than ever before. While he called the situation more an incident than a trend, sluggishness to patch the affected servers along with new bugs has kept the window of danger open, Prettejohn said.

Among the most recent security alerts is an easily exploitable flaw in some versions of Apache that could allow attackers to discover where scripts are located on the server, and to execute code on the server.

The survey found that market share for Microsoft servers had declined by 6.48 percent, matched by a 5.89 percent rise in Apache's market share. However, this was accounted for by a periodic platform switch by Register.com, a registrar which controls a large number of domain names.

Netcraft noted that some companies appear to be making good business out of server hosting, identifying six providers that had achieved greater than 30 percent growth since the beginning of this year. The top companies include Rackshack.com, with 88 percent growth, Cybercon.com with 44 percent and Crystaltech.com with 43 percent.

Worryingly for Sun, however, few of these hosting companies now use servers from Cobalt, which were a de facto industry standard before Sun bought the company. In recent months the hosting companies have shifted to IBM, Compaq or generic boxes, Netcraft said. Rackshack placed the largest-ever order for Cobalt servers in December, but dropped the platform at the beginning of this year, Netcraft reported.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.