Microsoft ended support for Windows Server 2003, and this has now exposed one fifth of the world’s websites to hackers and cyber criminals. The issue is that these websites are running on old Windows 2003 servers, and as they are no longer supported by Microsoft, this means they are no longer updated when a new security hole is uncovered, either by researchers or by hackers themselves. Despite the painfully obvious security flaws in running websites on old servers, especially those running 2003, many webmasters and site owners are oblivious to the issue, not least as many sites are themselves hosted through a managed contract and the owners are not directly in control of their websites.
Alost three-quarters of these websites, over 40 million, are running via IIS 6.0, which was available via 2003 (and also Windows XP 64 bit, however it is unlikely many sites are running on this). The big issue is that millions and millions of websites are running on unpatched, unsupported 2003 servers, and this is a ticking time bomb waiting for a major vulnerability to be uncovered.
Strangely and ironically enough, China and the US account for more than half of the servers running Windows Server 2003 (China has 169k 2003 servers, while the US has 166k). Alibaba, which recently floated on the stock exchange, itself is running over 24,000 servers using 2003, but more worrying, companies such as ING Direct are also using the outdated platform. Even more scary is that there are security companies using Windows Server 2003, such as eScan and Panda Security.
There are reports and rumors that while Microsoft has ceased general support for 2003, some companies (and the US Navy) have paid millions of dollars to have customized support continue to be delivered. In any event, the majority of companies and organizations running Windows Server 2003 and XP are running them unsupported, unpatched and therefore fully exposed to any malicious exploit or technical glitch.
The recommendation is obviously to upgrade from Windows Server 2003 as quickly as possible, and Microsoft has laid out several migration paths, notably to Windows Server 2012 (2008 is still supported, but it is best to go for 2012 in this respect due to the expected extended life of the product compared to 2008).
In the meantime, with so many websites running on unsupported servers, the security issues are painfully obvious: hacks, data theft, malicious interference in operations, identify theft and much worse. That 20% of the websites currently live in the world are running on old, unsecure hardware is a crisis in itself, however it is unlikely to be resolved until some significant issue arises which then causes a mass migration off the platform. Unfortunately, by the time this occurs the damage is already likely to have been caused, and the consumer and website visitors are the ones most likely to be hit the hardest. The bottom line is that website users, especially those carrying out online transactions or sharing sensitive information, should be much more aware and cautious of who they are doing business with online.