Hmmmmm....I'll have to go and read the article I saw on Steve Gibson's site about the problem then. I just read the 1st paragraph where he mentioned that MS and himself were interpreting things differently. I didn't understand it at the time.

But your comments are probably the explanation for Gibson's comments. That he was saying to MS that leaving certain functionality as the default is dangerous, but MS didn't feel that way.




>The issue is not so much a technical one as a policy one. The problem with IIS is not that it has more holes, but it exposes more functionality by default, which _exposes_ more holes. None of these worms would be a problem if the default IIS install was a bare bones, HTML only install, and all additional IIS functionality had to be intentionally added.
>
>Apache is so much more secure because when you install it, all you get is a basic request parser to serve up pages on disk. IIS gives you bells and whistled out the wazoo, and the majority of the holes in the product (like the ones exploited by nimda and Code Red) are in those bells and whistles.