The pictures to the right from Richard Stiennon's post on Threat Chaos show the paths of the system calls used by IIS on Win32 and Apache on POSIX to service a single HTTP request. This pictures demonstrates, fundamentally, why IIS on Win32 is simply a bad engineering choice when it comes to security.Every system call, every transition across the user/operating system boundary is an opportunity for the userspace program to exploit a potentially unknown hole in the underlying O/S. Why someone would choose to use an environment like this one is beyond me.
Richard Stiennon put it quite succinctly:
Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture.
Windows+IIS vs. Linux+Apache (and baby vs. baby)
ReplyDeleteHoly weblog observations, Batman! It's IT Blogwatch, in which it's "proven" than Windows+IIS is less secure than Linux+Apache. Not to mention the site that asks, "Which baby is cuter?"...