News
News
1/28/2003
06:33 AM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Was Vulnerable To Worm

Internal E-mails show software maker failed to install key fixes to its own software on many servers.

SEATTLE (AP) -- Microsoft itself was exposed to the virus-like attack that crippled global Internet activity last weekend because it failed to install crucial fixes to its own software on many Microsoft computer servers, according to internal E-mails obtained Monday by The Associated Press.

Although Microsoft contends its failure to keep up with its own updates didn't cause major problems, security experts said it points to a larger issue: Microsoft's process for keeping customers' software secure is hugely flawed.

The virus-like attack, called Slammer or Sapphire, exploited a known flaw in Microsoft's SQL Server 2000 database software, used by businesses, government agencies, universities, and others around the world. Microsoft had issued a patch for the flaw in July, but many--including some units within Microsoft--had failed to install it.

The result was that the attacking software scanned for victim computers so randomly and so aggressively that it saturated many of the Internet's largest data pipelines, slowing E-mail and Web surfing around the world.

Microsoft spokesman Rick Miller declined to say which areas or how many computers at Microsoft were affected. He acknowledged that some servers were left unfixed because administrators "didn't get around to it when they should have."

The computer servers that hosted the software patch for download by users weren't among those vulnerable to the worm, Miller said.

The disclosure comes less than a week after Microsoft chairman Bill Gates marked progress on the company's "Trustworthy Computing" initiative. That effort, announced a year ago, made security a top priority at the Redmond, Wash.-based company. Microsoft put thousands of its developers through security training to emphasize writing secure code, and hired a chief security officer.

Miller said employees' failure to install patches on their computers doesn't reflect a lack of commitment to Gates' vision for secure computing.

"This is why we developed Trustworthy Computing," Miller said. "Not because we said when we came out with a memo that our work was done and it was over, but that we were beginning the process, and we were going to learn and we were going to make it better ... We're committed to getting there."

This isn't the first time Microsoft has had its own computers attacked when it failed to install software fixes. In 2000, Microsoft was one of the victims of the "I Love You" virus, which exploited a known flaw in its Outlook E-mail program.

But it's no surprise that many--including Microsoft--were vulnerable, said Bruce Schneier, chief technology officer with Counterpane Internet Security Inc.

Network administrators are dealing with several software patches each week from Microsoft and other vendors, he said.

"You can't possibly keep up with this," Schneier said. "There's a lot of frustration."

He added that Microsoft needs to own up to problems with how it offers security fixes.

"On the one hand, Microsoft's been saying it's the customer's fault for not patching their networks," but the company's own failure to do so "show(s) how unrealistic that expectation is. It's very much like blaming the victim."

Although others contend software patches can be an effective way to provide security, Microsoft needs to make them easier, said Marc Maiffret, chief hacking officer of eEye Digital Security Inc.

SQL Server patches in particular can be difficult, time-consuming, and error-prone to the point where they may cause the program to fail, Schneier said.

Miller acknowledged that the process isn't simple and could be improved. Although Microsoft wants to ensure that its software is built more securely from the start, he said 100% security is an elusive goal.

"There's never going to be a day," Miller said, "when ... software that is developed by humans is flawless."

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.