IIS should be...
... taken out and shot. That's the only real way to put an end to IIS vulnerabilities.
Network administrators at Ball State University have retracted their claims that a campus website was brought down by a zero-day vulnerability in Microsoft's Internet Information Services webserver. "Microsoft and Ball State now have identified the cause of the breach [as] a Ball State iWeb user [who] either misused or allowed …
So shooting it for vulnerabilities that have now been said not to exist is such an obvious solution. I'm sure Apache is not vulnerable to someone misuing an account that has permissions to do *bad stuff*.
(sits back and waits for all the fanbois that trashed this as being an IIS issue in the initial story to come back and say sorry for jumping the gun)
Once upon a time there was a little man who was poor and had no house, so he and his family lived in a cave. One day a big man came along and built him a house. 'But if I build you a house, you must look after my dog', said the big man. So the little man looked after the dog.
One day the dog turned nasty and ate the little man's kids. But the little man was scared the big man would take his house away, so he told the policeman that the dog didn't do it.
That's all for today children. 'Newsround' next, and then 'Grange Hill'.
I count three people somehow coming to the conclusion that no vulnerability exists in IIS .... huh?
Often wonder if people actually read the entire article before penning their replies, or is being the first to comment or flame someone more important than knowing what you are talking about? The vulnerability does exist, it just wasn't exploited in this instance.
IIS 5 was a security nightmare but IIS6 has been much better (i'm not saying it's the best or drawing comparisons so simmer down) in fact it's become quite a dull subject on the security front much better than most MS software. Take a look at the list it's hardly an issue a week is it now in fact it looks like one a year.
http://secunia.com/advisories/product/1438/?task=advisories
Of course IIS had security issues as does apache and probably most other servers. But that's not the whole issue here, IIS is still poo even if it didn't have any issues just for it being so ... annoying.
I have had someone hack my apache webserver once... on my home computer. My own fault for not firewalling it to outside connections, I didnt know there were any problems with it until that point. Someone thought it might be funny to put a paypal scam site on my web server... to this day I still do not know how they did it and all I had was a php page with a couple of graphs on it ^^ and it was set up securely.
This was back in the Mandrake days though...