AMP mitigates IIS SSL exploit

Continuing exploits and Internet Information Services Secure Sockets Layer vulnerabilities have not deterred one of Australia's largest financial institutions from using the Web server.

Lee Barnett, the CIO of financial services giant AMP, said Microsoft is "clearly targetted by the malicious hacker community", but said risks can be mitigated and auxiliary security technologies used.

“The key is to have an efficient and responsive patch management process in place, with appropriate vendor support,” Barnett said. “AMP is currently happy with its vendors' (Microsoft and CSC in this instance) support of such processes.”

As reported in Computerworld previously, most of Australia’s banks rely on Microsoft IIS for Web serving which has earned a bad reputation due to the high number of ways to exploit it.

In a press statement late last month Microsoft revealed that it had recently been made aware of a new IIS exploit.

“This exploit code targets server platforms that are running Internet Information Services to serve Web sites with Secure Socket Layer authentication enabled,” the statement read. Windows 2000 and Windows NT 4.0 are primarily at risk and the exploit does not affect the default IIS settings on Windows Server 2003, according to the statement.

AMP was not at risk with this exploit as the company uses a separate SSL accelerator.

“AMP uses a technology called SSL Accelerator, which sits in front of the IIS server and does mitigate the particular risk identified in the latest Microsoft vulnerability,” Barnett said.

When asked if this exploit is reason enough for AMP to consider an alternative Web front-end, Barnett said: “AMP makes decisions on technology selection based on many factors, one of which is security.

“The issue of open source versus proprietary software is clearly a ‘hot’ topic in the industry at present, with pros and cons with each alternative, but again is subject to many factors - only one of which is security."

However, Barnett conceded that AMP Bank uses WebSphere (based on Apache) in lieu of IIS for its Web server.

Brisbane-based information security firm BSD Australia’s managing director Brian McKerr has boldly claimed that the banks could be “considered negligent if they are not already investigating alternatives [to IIS]”.

“The functionality, performance, security and reputation of an Apache-based solution running on a [Unix] platform are already streets ahead of where IIS is at,” McKerr said. “The OpenBSD project's number one aim is to be the most secure OS.”

Show Comments