FBI warns of bugs for Christmas

Familiar bugs could spoil Christmas for e-commerce sites that are lax about security. Microsoft server software is especially vulnerable

Just in time for Christmas, the National Infrastructure Protection Center has posted a warning to e-commerce sites to beware of old bugs. The advisory noted an increase in network attacks on e-commerce sites vulnerable to well-documented, but frequently unpatched, flaws.

The National Infrastructure Protection Centre (NIPC)-- a coordinated effort between the US Department of Justice, the FBI, and several other government agencies -- cited "an increase in hacker activity specifically targeting US systems associated with e-commerce" as the reason for the advisory, issued Friday.

"The hackers are exploiting at least three known system vulnerabilities to gain unauthorised access and download proprietary information," stated the advisory. "Although these vulnerabilities are not new, this recent activity warrants additional attention by system administrators."

The agency could not be reached Monday for further comment on the advisory.

Most of the network intrusions have taken advantage of flaws in Microsoft server software. All three flaws specifically mentioned in the NIPC advisory affect Microsoft software.

The first, almost three years old, is a known problem with the default configuration of the Remote Data Service in Microsoft's popular Internet Information Server. The bug allows network attackers to gain information about the server and run system commands.

The so-called "RDS flaw" topped the list of ZDNet News bugs in 1999.

The second flaw affects sites using Microsoft's SQL (Structured Query Language) database software or the Microsoft Data Engine. Known as the "SQL Query Abuse" vulnerability, the flaw allows customers to submit queries and download information contained in a site's database. For e-commerce sites, that could expose credit card records or other personal customer data to online vandals and thieves.

The NIPC highlighted a third flaw that lets invaders take advantage of certain improperly set file permissions to gain full access to a server.

While system administrators have been alerted in the past to the potential threat of the flaws by the NIPC and Microsoft, the latest advisory targets system administrators who may not keep up-to-date on software flaws, said Russ Cooper, security evangelist for security firm TruSecure.

"They are talking to a different audience," said Cooper, whose official title at the company is surgeon general. "Maybe they have said to themselves, 'We have never told other people this very well.'"

While some may question the necessity of such a move, system administrators -- typically overworked -- frequently need reminders to patch their software, he said.

Take me to the Virus Workshop

Take me to ZDNet Enterprise

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.