Microsoft takes heat for Code Red

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6730674.html

By Ian Fried and David Becker
Staff Writers, CNET News.com 
July 31, 2001, 12:25 p.m. PT 

While network administrators wait and prepare for another round of
attacks from the Code Red worm, Microsoft is drawing much of the blame
for the pernicious infection.

Once again, security experts say the speed and stability of the
Internet is at risk because of Code Red, a malicious worm that takes
advantage of a hole in Microsoft's Internet Information Server (IIS)
Web server software. The worm infected more than 300,000 servers and
attacked the White House Web site last month before going into
hibernation.

The worm is set to become active again at 5 p.m. PDT Tuesday,
launching a new round of infections that could generate enough traffic
to slow parts of the Internet.

The bulk of the blame for the persistent pest is directed at
Microsoft, whose server software contains the vulnerability that
enables Code Red to infect servers. Microsoft has also been criticized
for allowing other worms, such as those that have spread through the
Outlook e-mail software by taking advantage of Microsoft's support for
Visual Basic scripts.

Microsoft has been the subject of several recent security-related
gaffes. The company had to offer several different patches for a hole
in its Exchange e-mail server after initial repairs crippled the
servers they were applied to. An earlier hole in IIS was quickly
exploited by online vandals. And an insurance firm that protects
companies against hacker damage recently decided to boost premiums for
customers who use Microsoft's Windows NT software.

Murray Chapman, who runs servers for a living, said he does not use
Microsoft's software because of concerns over security.

"Much Microsoft software (including IIS and Outlook) is built to
emphasize 'gee whiz' features like cool Javascript applets over
security and reliability," Chapman said in an e-mail. "I sit back and
watch with amusement and horror at the unnecessary panic and wasted
money and effort that is being spent in this battle."

Marc Maiffret, chief hacking officer at eEye Digital Security and the
one responsible for discovering the IIS hole, said the publicity blitz
launched by Microsoft and government officials a few days ago should
have come much earlier, when the worm was dormant and system
administrators had plenty of time to act.

"It's like they really waited until the last minute," Maiffret said.
"They really should have been doing a lot more the last week and a
half. . . A security patch shouldn't take a month to install."

Microsoft counters that it did all that was possible after learning of
the hole, offering a patch and publicizing the issue. Spokesman Jim
Desler said the company mobilized its technical account managers,
alerted the press and sent a message to 160,000 people on the
company's security e-mail list.

"You can't reach everybody, but we reach as many as we possibly can,"
Desler said. "It's fortunate that we were able to do so, or the
initial phase of Code Red would have been far more serious."

The security mailing list is voluntary, and another Microsoft
representative said the company had no plans to try to e-mail all
product owners on security issues.

Desler said Microsoft is looking at ways to improve its notification
process.

"We are always looking at ways to make the process more efficient,"
Desler said, although he did not have specifics on any new programs.

Others have questioned the whole approach of expecting software
customers to, on their own, download and install fixes to prevent a
particular issue.

The fact that so many system administrators have failed to install a
patch for one of the most widely publicized security holes ever has
led many to question the "patch and pray" approach to fixing buggy
software.

Instead of fixing buggy software, the focus should be on locking down
computer systems to prevent activity that could be compromising, said
Randy Sandone, CEO of security software maker Argus Systems Group.

"I think people are getting pretty frustrated with the status quo," he
said. "I think the answer is to inoculate your system from the get-go
from these kinds of threats."

Christopher W. Klaus, founder of software and services company
Internet Security Systems, advocates an approach called "vulnerability
scanning" that routinely examines computer systems for possible
security threats.

"Companies really need a multilayered security approach," Klaus said.
"It's Code Red today, but what's the threat going to be tomorrow?"

Microsoft's Desler noted that the software giant is not the only one
whose products have holes, just a large company that goes public with
potential problems.

"All software has vulnerabilities," Desler said. "Within the past
month, (with) every major vendor there has been a significant security
vulnerability discovered."

Nonetheless, Desler said Microsoft acklowedges it has "a particular
responsibility" by virtue of its size.

But some say the publicity surrounding Code Red has only made the
matter worse.

Rob Rosenberger, editor of the Vmyths.com news service, said the Code
Red worm is a threat, but he argued against the climate of hysteria he
sees developing.

"A panicky user can be as dangerous as the Code Red worm itself,"
Rosenberger said in a statement. He blamed the FBI's new National
Infrastructure Protection Center for overhyping the problem.

"Vmyths.com believes they launched a 'Code Red publicity tour' largely
to improve their image," Rosenberger said. "They suffered intense
humiliation last week when (NIPC) Director Ron Dick faced an irate
Senate subcommittee."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.