As we’ve said frequently there really is no excuse for not moving off Microsoft Windows Server 2003 and moving to the cloud, but if you’re looking for an excuse to explain to the CEO why you haven’t moved, then at least you’re not the only one in that position.
Research from RiskIQ shows that with just days to go – five to be precise - before Microsoft Windows Server 2003 support ends, 24 of the top 30 FTSE-listed companies in the UK are still running web servers that will be out of support in less than a week.
RiskIQ’s research discovered that amongst the top 30 FTSE companies, there were more than 73,000 instances of web servers in use. Microsoft’s IIS 6.0, used for web hosting and media streaming and part of Win2k3, was the 6th most popular server and used more than 2,675 times. Whilst some organisations run IIS 6.0 on forgotten networks or as test servers, the research worryingly found it was also used to host high profile websites of some of the largest FTSE companies in the UK.
In comparison, 22 of the top 30 DAX companies in Germany also face the same risks from using outdated technology but are much further ahead in replacing their ageing infrastructure; only 650 instances of IIS 6.0 were found in RiskIQ’s study of DAX organisations, a quarter of the total found in comparable FTSE companies.
Ben Harknett, RiskIQ Managing Director EMEA, says: “Hackers bypass traditional defence in-depth measures by finding and compromising web sites, based on exploits in unsupported software versions. Due to the lack of availability of critical security updates for IIS 6.0 beyond 14th July, hackers will be able to more easily exploit its security weaknesses, accessing systems and using company websites to serve malware to unsuspecting users. Companies are running the risk of operating a webserver as a ticking time bomb of vulnerabilities and reliability issues after that date.”
Users of IIS 6.0 have a handful of days before support fully ends. But RiskIQ’s research also found 417 instances of the top FTSE companies still using the outdated IIS 5.0, a product which hasn’t been supported by Microsoft for over a year.
“People expect that when they access a website of a reputable organisation it will be a safe, secure experience, no matter where they navigate to within the site. Organisations who continue to run IIS 6.0 beyond the 14th July support date run the risk that they will no longer be delivering the same secure experience.
“For any organisation it’s vital to understand how digital assets are hosted. At RiskIQ we work with organisations all over the globe to help them uncover what digital assets they have. Using this knowledge, organisations can better understand where the security weaknesses within those assets are, such as instances of IIS 6.0, and therefore take suitable action to replace obsolete web servers.” Harknett concluded.