Topic: Are there really lots of vulnerable Apache web servers?

[Steffen]

Apache has been the most common web server on the internet since April 1996, and is currently used by 38% of all websites. Most nefarious activity takes place on compromised servers, but just how many of these Apache servers are actually vulnerable?

The latest major release of the 2.4 stable branch is Apache 2.4.7, which was released in November 2013. However, very few websites claim to be using the stable branch of 2.4 releases, despite Apache encouraging users to upgrade from 2.2 and earlier versions.

Less than 1% of all Apache-powered websites feature an Apache/2.4.x server header, although amongst the top million websites, more than twice as many sites claim to be using Apache 2.4.x. Some of the busiest websites using the latest version of Apache (2.4.7) are associated with the Apache Software Foundation and run on the FreeBSD operating system, including httpd.apache.org, www.openoffice.org, wiki.apache.org, tomcat.apache.org and mail-archives.apache.org.

Read more... http://news.netcraft.com/archives/2014/02/07/are-there-really-lots-of-vulnerable-apache-web-servers.html

Doubt about the correctness of the figureres from Netcraft. Because the server header is widely set to production and does not expose the version. So Apache Lounge shows just Apache.

[jimski]

The most stable Linux distributions such as RHEL, CentOS and Debian all come with Apache 2.2 as of now. Also most sysadmins like stable better than new. This will change when new Linux releases start including Apache 2.4 by default, then the market share of Apache2.4 will increase.

Also, on windows, web administrators who don't want to or can't compile their own modules still have a hard time to find some extensions for php x64 and modules for Apache 2.4 x64.