[ISN] Microsoft takes heat for Code Red

From: InfoSec News (isnat_private)
Date: Wed Aug 01 2001 - 02:47:12 PDT

  • Next message: InfoSec News: "[ISN] perl OpenPGP posted at CPAN"

    By Ian Fried and David Becker
    Staff Writers, CNET News.com 
    July 31, 2001, 12:25 p.m. PT 
    While network administrators wait and prepare for another round of
    attacks from the Code Red worm, Microsoft is drawing much of the blame
    for the pernicious infection.
    Once again, security experts say the speed and stability of the
    Internet is at risk because of Code Red, a malicious worm that takes
    advantage of a hole in Microsoft's Internet Information Server (IIS)
    Web server software. The worm infected more than 300,000 servers and
    attacked the White House Web site last month before going into
    The worm is set to become active again at 5 p.m. PDT Tuesday,
    launching a new round of infections that could generate enough traffic
    to slow parts of the Internet.
    The bulk of the blame for the persistent pest is directed at
    Microsoft, whose server software contains the vulnerability that
    enables Code Red to infect servers. Microsoft has also been criticized
    for allowing other worms, such as those that have spread through the
    Outlook e-mail software by taking advantage of Microsoft's support for
    Visual Basic scripts.
    Microsoft has been the subject of several recent security-related
    gaffes. The company had to offer several different patches for a hole
    in its Exchange e-mail server after initial repairs crippled the
    servers they were applied to. An earlier hole in IIS was quickly
    exploited by online vandals. And an insurance firm that protects
    companies against hacker damage recently decided to boost premiums for
    customers who use Microsoft's Windows NT software.
    Murray Chapman, who runs servers for a living, said he does not use
    Microsoft's software because of concerns over security.
    "Much Microsoft software (including IIS and Outlook) is built to
    emphasize 'gee whiz' features like cool Javascript applets over
    security and reliability," Chapman said in an e-mail. "I sit back and
    watch with amusement and horror at the unnecessary panic and wasted
    money and effort that is being spent in this battle."
    Marc Maiffret, chief hacking officer at eEye Digital Security and the
    one responsible for discovering the IIS hole, said the publicity blitz
    launched by Microsoft and government officials a few days ago should
    have come much earlier, when the worm was dormant and system
    administrators had plenty of time to act.
    "It's like they really waited until the last minute," Maiffret said.
    "They really should have been doing a lot more the last week and a
    half. . . A security patch shouldn't take a month to install."
    Microsoft counters that it did all that was possible after learning of
    the hole, offering a patch and publicizing the issue. Spokesman Jim
    Desler said the company mobilized its technical account managers,
    alerted the press and sent a message to 160,000 people on the
    company's security e-mail list.
    "You can't reach everybody, but we reach as many as we possibly can,"
    Desler said. "It's fortunate that we were able to do so, or the
    initial phase of Code Red would have been far more serious."
    The security mailing list is voluntary, and another Microsoft
    representative said the company had no plans to try to e-mail all
    product owners on security issues.
    Desler said Microsoft is looking at ways to improve its notification
    "We are always looking at ways to make the process more efficient,"
    Desler said, although he did not have specifics on any new programs.
    Others have questioned the whole approach of expecting software
    customers to, on their own, download and install fixes to prevent a
    particular issue.
    The fact that so many system administrators have failed to install a
    patch for one of the most widely publicized security holes ever has
    led many to question the "patch and pray" approach to fixing buggy
    Instead of fixing buggy software, the focus should be on locking down
    computer systems to prevent activity that could be compromising, said
    Randy Sandone, CEO of security software maker Argus Systems Group.
    "I think people are getting pretty frustrated with the status quo," he
    said. "I think the answer is to inoculate your system from the get-go
    from these kinds of threats."
    Christopher W. Klaus, founder of software and services company
    Internet Security Systems, advocates an approach called "vulnerability
    scanning" that routinely examines computer systems for possible
    security threats.
    "Companies really need a multilayered security approach," Klaus said.
    "It's Code Red today, but what's the threat going to be tomorrow?"
    Microsoft's Desler noted that the software giant is not the only one
    whose products have holes, just a large company that goes public with
    potential problems.
    "All software has vulnerabilities," Desler said. "Within the past
    month, (with) every major vendor there has been a significant security
    vulnerability discovered."
    Nonetheless, Desler said Microsoft acklowedges it has "a particular
    responsibility" by virtue of its size.
    But some say the publicity surrounding Code Red has only made the
    matter worse.
    Rob Rosenberger, editor of the Vmyths.com news service, said the Code
    Red worm is a threat, but he argued against the climate of hysteria he
    sees developing.
    "A panicky user can be as dangerous as the Code Red worm itself,"
    Rosenberger said in a statement. He blamed the FBI's new National
    Infrastructure Protection Center for overhyping the problem.
    "Vmyths.com believes they launched a 'Code Red publicity tour' largely
    to improve their image," Rosenberger said. "They suffered intense
    humiliation last week when (NIPC) Director Ron Dick faced an irate
    Senate subcommittee."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 04:43:20 PDT