A very interesting post on the Google Online Security Blog analyzes which web servers are responsible for the world's malware.
Microsoft IIS 6 tied with Apache at 49% for compromised servers, even though Apache has a 40% lead in deployments. Apache makes up at least 50% of the malware servers in every country, save for Asia (China and S. Korea). The reason? Google says it's because of the high rate of piracy in Asia, and Microsoft's policy of not patching pirated systems.
Distribution of web server software by country.
 |
 |
 |
Web server distribution by country |
Malicious web server distribution by country |
|
The figure on the left shows the distribution of all Apache, IIS, and nginx webservers by country. Apache has the largest share, even though there is noticeable variation between countries. The figure on the right shows the distribution, by country, of webserver software of servers either distributing malware or hosting browser exploits. It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache.
We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy (piracy statistics from NationMaster, and BSA), and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems.
Is it time for a change? Based on this information, I agree with Google. I think the evidence is pretty clear here that Microsoft's patching policy hurts legitimate customers much more than it does pirates. As much as I support technologies that reduce piracy (so that maybe Microsoft can lower prices), I can't support this policy if it puts my family's computers at risk. Pirated copies of Windows should be allowed to connect to Windows Update for Critical updates, without fear of retribution from Microsoft. That means they should be able to get updates without worrying that WGA is going to shut down their system.
Microsoft has many ways to fight piracy. Punishing paying customers by putting them at risk should not be one of them.
UPDATE: The WGA team contacted me to let me know that the policy I quoted was from July of 2005 and is out of date. Microsoft's policy is, in fact, to allow for critical patches to be downloaded via Automatic Updates, regardless of a machine's license state. Since that is the case, I would assume that the pirates have shut AU off on these machines so they don't report back to Microsoft. Can't fault Microsoft for that.