Microsoft last week issued a set of patches to fix 10 of the latest flaws in its IIS Web server software, as part of its promise to improve the security of its products.

The newly-disclosed flaws, along with last week's completion of the open-source Apache 2.0 Web server, could encourage firms to re-evaluate their Web server needs.

IIS's vulnerability to attack, which has been exploited by the Code Red and Nimda worms, last September prompted analyst firm Gartner to advise against using it.

The security problems have already led some companies to switch to other Web servers. One IT manager said, "I have got to the point where I would insist that any server with a public IP address outside a firewall or providing a public service - for example, an email router or Web server - should run Unix and not Windows."

The latest IIS patch may be an indication that Microsoft is taking security more seriously, especially since the patch fixes two flaws discovered by Microsoft itself. However, many IT managers remain unimpressed with the firm's security efforts so far. An IT coordinator for an industry group said, "Coming clean on flaws hardly earns any brownie points in my book when Microsoft persistently presents to the marketplace products that are incomplete and contain serious flaws."

Despite Microsoft's efforts, IIS remains a distant second to the open-source Apache, although IIS gained market share over the last year. Most sites are currently using version 1.3 of Apache, though version 2.0 has just been completed. It is designed to offer the reliability of the previous version with some of the feature-richness of IIS. This blend could attract more companies away from Microsoft.

To date, Apache has proven to be less vulnerable, and feedback from the huge Apache community should ensure that it remains so. While many observers applaud Microsoft's decision to do more to tackle flaws, its latest IIS patches have already caused new problems for servers that also run Microsoft Site Server, showing the need for the firm to conduct more thorough testing.

Stuart Okin, chief security officer at Microsoft UK, said firms should be careful when applying patches and should perform their own threat analysis. "The IIS patch needs a full testing cycle," he said.

The new patch for IIS 4.0, 5.0 or 5.1 on Windows NT 4.0, 2000 or XP Professional, is available via the AutoUpdate facility in XP or at the Windows Update Web site. It can also be downloaded here.