Research from RiskIQ, the enterprise digital footprint security specialist, has discovered that 24 of the top 30 FTSE-listed companies in the UK are running web servers that will be out of support in less than a week, posing a potential security risk to both them and the public.
On July 14, Microsoft ends support for its popular Windows Server 2003 product, which includes its Internet Information Services (IIS) 6.0 web server and Small Business Server 2003. This move means these software versions will no longer receive critical security updates or patches.
RiskIQ’s research discovered that amongst the top 30 FTSE companies, there were more than 73,000 instances of web servers in use. Microsoft’s IIS 6.0, used for web hosting and media streaming, was the sixth most popular server and used more than 2,675 times. Whilst some organisations run IIS 6.0 on forgotten networks or as test servers, the research worryingly found it was also used to host high profile websites of some of the largest FTSE companies in the UK.
In comparison, 22 of the top 30 DAX companies in Germany also face the same risks from using outdated technology but are much further ahead in replacing their ageing infrastructure; only 650 instances of IIS 6.0 were found in RiskIQ’s study of DAX organisations, a quarter of the total found in comparable FTSE companies.
Ben Harknett, RiskIQ Managing Director EMEA, says: “Hackers bypass traditional defence in-depth measures by finding and compromising web sites, based on exploits in unsupported software versions. Due to the lack of availability of critical security updates for IIS 6.0 beyond July 14, hackers will be able to more easily exploit its security weaknesses, accessing systems and using company websites to serve malware to unsuspecting users. Companies are running the risk of operating a webserver as a ticking time bomb of vulnerabilities and reliability issues after that date.”
Users of IIS 6.0 have a handful of days before support fully ends. But RiskIQ’s research also found 417 instances of the top FTSE companies still using the outdated IIS 5.0, a product which hasn’t been supported by Microsoft for over a year.
“People expect that when they access a website of a reputable organisation it will be a safe, secure experience, no matter where they navigate to within the site. Organisations who continue to run IIS 6.0 beyond the July 14 support date run the risk that they will no longer be delivering the same secure experience.
“For any organisation it’s vital to understand how digital assets are hosted. At RiskIQ we work with organisations all over the globe to help them uncover what digital assets they have. Using this knowledge, organisations can better understand where the security weaknesses within those assets are, such as instances of IIS 6.0, and therefore take suitable action to replace obsolete web servers.” Harknett concluded.