July 31, 2001 12:25 PM PDT
Microsoft takes heat for Code Red
- Related Stories
Officials sound Code Red alarmJuly 30, 2001
New worm has Net seeing "Red"July 20, 2001
Web worm targets White HouseJuly 19, 2001
Code Red worm set to flood InternetJuly 19, 2001
Microsoft reveals Web server holeJune 18, 2001
Microsoft 'incredibly sorry' about goofed fixJune 13, 2001
Windows users pay for hacker insuranceMay 29, 2001
Hacker exploits Microsoft server flawMay 3, 2001
Once again, security experts say the speed and stability of the Internet is at risk because of Code Red, a malicious worm that takes advantage of a hole in Microsoft's Internet Information Server (IIS) Web server software. The worm infected more than 300,000 servers and attacked the White House Web site last month before going into hibernation.
The worm is set to become active again at 5 p.m. PDT Tuesday, launching a new round of infections that could generate enough traffic to slow parts of the Internet.
The bulk of the blame for the persistent pest is directed at Microsoft, whose server software contains the vulnerability that enables Code Red to infect servers. Microsoft has also been criticized for allowing other worms, such as those that have spread through the Outlook e-mail software by taking advantage of Microsoft's support for Visual Basic scripts.
Microsoft has been the subject of several recent security-related gaffes. The company had to offer several different patches for a hole in its Exchange e-mail server after initial repairs crippled the servers they were applied to. An earlier hole in IIS was quickly exploited by online vandals. And an insurance firm that protects companies against hacker damage recently decided to boost premiums for customers who use Microsoft's Windows NT software.
Murray Chapman, who runs servers for a living, said he does not use Microsoft's software because of concerns over security.
Marc Maiffret, chief hacking officer at eEye Digital Security and the one responsible for discovering the IIS hole, said the publicity blitz launched by Microsoft and government officials a few days ago should have come much earlier, when the worm was dormant and system administrators had plenty of time to act.
"It's like they really waited until the last minute," Maiffret said. "They really should have been doing a lot more the last week and a half. . . A security patch shouldn't take a month to install."
Microsoft counters that it did all that was possible after learning of the hole, offering a patch and publicizing the issue. Spokesman Jim Desler said the company mobilized its technical account managers, alerted the press and sent a message to 160,000 people on the company's security e-mail list.
"You can't reach everybody, but we reach as many as we possibly can," Desler said. "It's fortunate that we were able to do so, or the initial phase of Code Red would have been far more serious."
The security mailing list is voluntary, and another Microsoft representative said the company had no plans to try to e-mail all product owners on security issues.
Desler said Microsoft is looking at ways to improve its notification process.
"We are always looking at ways to make the process more efficient," Desler said, although he did not have specifics on any new programs.
Others have questioned the whole approach of expecting software customers to, on their own, download and install fixes to prevent a particular issue.
The fact that so many system administrators have failed to install a patch for one of the most widely publicized security holes ever has led many to question the "patch and pray" approach to fixing buggy software.
Instead of fixing buggy software, the focus should be on locking down computer systems to prevent activity that could be compromising, said Randy Sandone, CEO of security software maker Argus Systems Group.
Christopher W. Klaus, founder of software and services company Internet Security Systems, advocates an approach called "vulnerability scanning" that routinely examines computer systems for possible security threats.
"Companies really need a multilayered security approach," Klaus said. "It's Code Red today, but what's the threat going to be tomorrow?"
Microsoft's Desler noted that the software giant is not the only one whose products have holes, just a large company that goes public with potential problems.
"All software has vulnerabilities," Desler said. "Within the past month, (with) every major vendor there has been a significant security vulnerability discovered."
Nonetheless, Desler said Microsoft acklowedges it has "a particular responsibility" by virtue of its size.
But some say the publicity surrounding Code Red has only made the matter worse.
Rob Rosenberger, editor of the Vmyths.com news service, said the Code Red worm is a threat, but he argued against the climate of hysteria he sees developing.
"A panicky user can be as dangerous as the Code Red worm itself," Rosenberger said in a statement. He blamed the FBI's new National Infrastructure Protection Center for overhyping the problem.
"Vmyths.com believes they launched a 'Code Red publicity tour' largely to improve their image," Rosenberger said. "They suffered intense humiliation last week when (NIPC) Director Ron Dick faced an irate Senate subcommittee."