[ISN] Microsoft accidentally distributes virus

From: InfoSec News (isnat_private)
Date: Mon Jun 17 2002 - 02:09:07 PDT

  • Next message: InfoSec News: "[ISN] Flaw Puts SQL Servers at Risk"

    Forwarded from: Aj Effin Reznor <ajat_private>
    
    http://news.com.com/2100-1001-935994.html?tag=fd_top
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    June 14, 2002, 10:35 AM PT
    
    update: Microsoft accidentally sent the virulent Nimda worm to South
    Korean developers when it distributed Korean-language versions of
    Visual Studio .Net that carried the virus, the company acknowledged
    Friday.
    
    Microsoft's flagship developer tools picked up the digital pest when a
    third-party company translated the program into Korean, said
    Christopher Flores, lead product manager for Visual Studio .Net.
    Flores stressed that no other foreign-language versions of the program
    were found to carry the worm, and he said the worm had not actually
    executed on any developers' systems.
    
    "There have been no recorded infections," Flores said. In fact, he
    added, it's almost impossible to get the worm to execute on computers
    with Visual Studio .Net installed.
    
    The infected file is stored in the same location as the help files,
    Flores said, but it's a file created by Nimda, so the .Net program's
    help system doesn't know it's there and will never reference--or
    open--the file. It's unlikely, then, that Nimda would break loose,
    Flores said.
    
    And if the worm did execute somehow, he said, it couldn't spread to
    the developer's system because the virus only runs on systems running
    Internet Explorer 5.5 and lower, and Visual Studio .Net requires
    version 6.0 of the browser.
    
    "It's extremely unlikely that a developer would ever accidentally get
    infected by Nimda," said Flores. "They would have to try hard just to
    run the worm."
    
    Still, the slip up is yet another stain on Microsoft's reputation as
    the company works to convince the public and the tech community that
    its products are secure. In a company-wide memo sent last January,
    Bill Gates trumpeted a "trustworthy computing initiative," calling on
    Microsoft's employees to put security above all else.
    
    Nimda started infecting computers last September and quickly became an
    epidemic. However, since October, incidents of the worm have dropped.
    
    The Redmond, Wash.-based software giant released Visual Studio .Net in
    February, and the Korean version made it to market some 90 days ago,
    Flores said.
    
    The Korean version of the developer tools picked up Nimda from the
    third-party "localization" company Microsoft hired to translate the
    program's help system into Korean. That company had already been
    infected by Nimda and spread the virus to the help tools, which gained
    an extra, infected file.
    
    Flores said that under Microsoft's security policy, the company
    normally scans every file being transferred to the master of a
    program. But in this case, the company only analyzed files it expected
    to find. Since the Nimda-infected file had been added by the worm, the
    company overlooked it.
    
    "We have been (scanning all files) in every one of our geographies,"  
    Flores said. "There was a loophole in our Korean side that caused us
    to miss files that we didn't expect to be there."
    
    It wasn't until a Microsoft employee was adding the help documentation
    to the software giant's developer Web site that the worm was found.  
    "We have to go through a conversion process to an online HTML format,"  
    said Flores. "During that process we found an extra file hanging
    around."
    
    Microsoft has notified all its registered Korean customers, and the
    company posted a patch to its Web site Thursday night. It also plans
    to send clean copies of the program to every registered customer free
    of charge and is attempting to contact developers who may have bought
    the product but not registered it.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 05:24:14 PDT