IIS 6.0 users are heading towards new security dangers

RiskIQ has discovered that 24 of the top 30 FTSE-listed companies in the UK are running web servers that will be out of support in less than a week, posing a potential security risk to both them and the public.

On July 14th, Microsoft ends support for its popular Windows Server 2003 product, which includes its Internet Information Services (IIS) 6.0 web server and Small Business Server 2003. This move means these software versions will no longer receive critical security updates or patches.

Researchers discovered that amongst the top 30 FTSE companies, there were more than 73,000 instances of web servers in use. Microsoft’s IIS 6.0, used for web hosting and media streaming, was the 6th most popular server and used more than 2,675 times.

Whilst some organisations run IIS 6.0 on forgotten networks or as test servers, the research worryingly found it was also used to host high profile websites of some of the largest FTSE companies in the UK.

In comparison, 22 of the top 30 DAX companies in Germany also face the same risks from using outdated technology but are much further ahead in replacing their ageing infrastructure; only 650 instances of IIS 6.0 were found in RiskIQ’s study of DAX organisations, a quarter of the total found in comparable FTSE companies.

Ben Harknett, RiskIQ Managing Director EMEA, says: “Hackers bypass traditional defence in-depth measures by finding and compromising web sites, based on exploits in unsupported software versions. Due to the lack of availability of critical security updates for IIS 6.0 beyond 14th July, hackers will be able to more easily exploit its security weaknesses, accessing systems and using company websites to serve malware to unsuspecting users. Companies are running the risk of operating a webserver as a ticking time bomb of vulnerabilities and reliability issues after that date.”

Users of IIS 6.0 have a handful of days before support fully ends. But research also found 417 instances of the top FTSE companies still using the outdated IIS 5.0, a product which hasn’t been supported by Microsoft for over a year.

“People expect that when they access a website of a reputable organisation it will be a safe, secure experience, no matter where they navigate to within the site. Organisations who continue to run IIS 6.0 beyond the 14th July support date run the risk that they will no longer be delivering the same secure experience,” Harknett concluded.

Share this