Researchers from CyberNews (opens in new tab) say they have identified over two million web servers powered by outdated, unmaintained, and vulnerable versions of Microsoft Internet Information Services (IIS) web server (opens in new tab).
According to the researchers, since the legacy IIS releases versions are no longer supported by Microsoft, threat actors can easily compromise them to inject all kinds of malware (opens in new tab), and even exfiltrate visitors’ data, which could include login and payment information, depending on the nature of the website it powers.
Microsoft IIS is reportedly the third most-popular web server in the world, powering over 50 million websites for a market share of just over 12%.
- These are the best endpoint protection tools (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
- Check our list of the best firewall apps and services (opens in new tab)
“While Microsoft keeps the newer versions relatively safe by releasing security updates and vulnerability hotfixes, older IIS versions from 7.5 downwards are no longer supported by the company. And like other types of outdated server software, all legacy versions of Microsoft IIS suffer from numerous critical security vulnerabilities,” CyberNews explained.
Outdated servers galore
Armed with this information, Cybernews researchers identified five different IIS versions and subversions that weren’t maintained and had publicly known vulnerabilities.
It then searched for these vulnerable IIS installations, and while a majority turned out to be honeypots, over two million were found serving genuine use cases.
While all legacy IIS versions were susceptible to attacks, version 7.0 with 17 known vulnerabilities emerged as the most harmful. Surprisingly, it was found running on over 47,000 web servers.
Upon further investigation, with more than 679,000 vulnerable IIS servers, China emerged as the country with the most number of susceptible installations. Surprisingly though, the US with over 581,000 unprotected IIS servers wasn’t far behind in second place.
CyberNews security researcher Mantas Sasnauskas believes the situation is further aggravated by the fact that the web servers that host public websites would also be broadcasting their outdated IIS versions for everyone to see.
“This means that running these servers on visibly vulnerable software is tantamount to extending an invitation to threat actors to infiltrate their networks,” Sasnauskas sums up.
- Protect your devices with these best antivirus software (opens in new tab)