Internal E-mails show software maker failed to install key fixes to its own software on many servers.
SEATTLE (AP) -- Microsoft itself was exposed to the virus-like attack that crippled global Internet activity last weekend because it failed to install crucial fixes to its own software on many Microsoft computer servers, according to internal E-mails obtained Monday by The Associated Press.
Although Microsoft contends its failure to keep up with its own updates didn't cause major problems, security experts said it points to a larger issue: Microsoft's process for keeping customers' software secure is hugely flawed.
The virus-like attack, called Slammer or Sapphire, exploited a known flaw in Microsoft's SQL Server 2000 database software, used by businesses, government agencies, universities, and others around the world. Microsoft had issued a patch for the flaw in July, but many--including some units within Microsoft--had failed to install it.
The result was that the attacking software scanned for victim computers so randomly and so aggressively that it saturated many of the Internet's largest data pipelines, slowing E-mail and Web surfing around the world.
Microsoft spokesman Rick Miller declined to say which areas or how many computers at Microsoft were affected. He acknowledged that some servers were left unfixed because administrators "didn't get around to it when they should have."
The computer servers that hosted the software patch for download by users weren't among those vulnerable to the worm, Miller said.
The disclosure comes less than a week after Microsoft chairman Bill Gates marked progress on the company's "Trustworthy Computing" initiative. That effort, announced a year ago, made security a top priority at the Redmond, Wash.-based company. Microsoft put thousands of its developers through security training to emphasize writing secure code, and hired a chief security officer.
Miller said employees' failure to install patches on their computers doesn't reflect a lack of commitment to Gates' vision for secure computing.
"This is why we developed Trustworthy Computing," Miller said. "Not because we said when we came out with a memo that our work was done and it was over, but that we were beginning the process, and we were going to learn and we were going to make it better ... We're committed to getting there."
This isn't the first time Microsoft has had its own computers attacked when it failed to install software fixes. In 2000, Microsoft was one of the victims of the "I Love You" virus, which exploited a known flaw in its Outlook E-mail program.
But it's no surprise that many--including Microsoft--were vulnerable, said Bruce Schneier, chief technology officer with Counterpane Internet Security Inc.
Network administrators are dealing with several software patches each week from Microsoft and other vendors, he said.
"You can't possibly keep up with this," Schneier said. "There's a lot of frustration."
He added that Microsoft needs to own up to problems with how it offers security fixes.
"On the one hand, Microsoft's been saying it's the customer's fault for not patching their networks," but the company's own failure to do so "show(s) how unrealistic that expectation is. It's very much like blaming the victim."
Although others contend software patches can be an effective way to provide security, Microsoft needs to make them easier, said Marc Maiffret, chief hacking officer of eEye Digital Security Inc.
SQL Server patches in particular can be difficult, time-consuming, and error-prone to the point where they may cause the program to fail, Schneier said.
Miller acknowledged that the process isn't simple and could be improved. Although Microsoft wants to ensure that its software is built more securely from the start, he said 100% security is an elusive goal.
"There's never going to be a day," Miller said, "when ... software that is developed by humans is flawless."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.