June 13, 2001 4:00 PM PDT
Microsoft 'incredibly sorry' about goofed fix
Microsoft contritely acknowledged Wednesday that its second attempt to fix an Exchange security hole went awry. Rather than fix the problem--and the security hole--the company's second attempt at a software patch included a catastrophic bug that caused many servers to hang. The company was not aware of the problem until alerted by CNET News.com.
"Yesterday, we discovered that the updated version contained outdated files which, as a result, did not fix the issues for which it was designed," a Microsoft representative said Wednesday. "We are incredibly sorry and apologize for any inconvenience."
The prolonged embarrassment comes at a tough time for Microsoft, as the company tries to hold onto its share of the server software market, partly by attacking Linux and other open-source software competitors. Microsoft Senior Vice President Craig Mundie last month lambasted the open-source community for "releasing unhealthy code." Mundie plans to continue the attack at the O'Reilly Open Source Convention in San Diego next month.
Analysts say the latest stumbles show that Microsoft's commercial software is as prone to security problems as open-source software.
"Microsoft has been getting paid for software for a long time, and it's not that much better," said Gartner analyst John Pescatore.
Pescatore wrote a report earlier this year telling his clients not to use Windows 2000 for security-critical applications until the product's bugs had been shaken out. "Windows 2000 has the same Windows security mistakes that we have seen for a long time," he said.
In the latest incident, an error in the company's flagship mail server software endangered people who read mail using a Web browser. The flaw in the so-called Outlook Web Access module allows a malicious programmer to send an e-mail attachment that, if opened, could delete or modify the person's mailbox data.
The existence of the vulnerability in Exchange 2000 servers and a patch to supposedly fix those servers were announced last Thursday.
On Friday, the company pulled down the fix after several system administrators complained that newly patched Exchange servers hung, leaving any inbound e-mail to pile up on external servers. The company also announced that the flaw not only affected Exchange 2000, but Exchange 5.5 as well.
Microsoft posted the latest patch on Saturday, but again system administrators found their servers becoming overloaded once the supposed fix was applied.
Portuguese security consultant Joao Gouveia likened the effect of the patch to a denial-of-service attack that overwhelms a Web server by flooding it with page requests. "If you install the patch, you can cause a self denial-of-service on the system," said Gouveia, who first notified Microsoft of the problem in late April. Several system administrators had contacted Gouveia for aid.
For one system administrator, dealing with the patch was the last straw. "We are on the verge of dumping all of our Microsoft stuff and going to Linux for reasons of expense and reasons of security," he said.
Gartner's Pescatore said incidents like the Exchange fumble are not that rare.
"If you look through the mailing lists and the bug lists, you'll see that one time out of five, a new patch is replacing an older one that didn't work right," he said.
On Wednesday, nearly a week after the release of the first patch, Microsoft rushed to update its Web site and mailing lists with the newest fix.
"This will not happen again," said the Microsoft spokesperson. "Period."