Is MS to blame for Code Red?

As networks brace for a new attack, Microsoft takes heat for the server software hole that let the Code Red worm wiggle onto the Internet. Critics say the company could have done more to avert a crisis.
Written by David Becker, Contributor and  Ian Fried, Contributor on
While network administrators wait and prepare for another round of attacks from the Code Red worm, Microsoft is drawing much of the blame for the pernicious infection.

Once again, security experts say the speed and stability of the Internet is at risk because of Code Red, a malicious worm that takes advantage of a hole in Microsoft's Internet Information Server (IIS) Web server software. The worm infected more than 300,000 servers and attacked the White House Web site last month before going into hibernation.

The worm is set to become active again at 5 pm PDT Tuesday, launching a new round of infections that could generate enough traffic to slow parts of the Internet.

The bulk of the blame for the persistent pest is directed at Microsoft, whose server software contains the vulnerability that enables Code Red to infect servers. Microsoft has also been criticized for allowing other worms, such as those that have spread through the Outlook email software by taking advantage of Microsoft's support for Visual Basic scripts.

Microsoft has been the subject of several recent security-related gaffes. The company had to offer several different patches for a hole in its Exchange email server after initial repairs crippled the servers they were applied to. An earlier hole in IIS was quickly exploited by online vandals. And an insurance firm that protects companies against hacker damage recently decided to boost premiums for customers who use Microsoft's Windows NT software.

Murray Chapman, who runs servers for a living, said he does not use Microsoft's software because of concerns over security.

"Much Microsoft software (including IIS and Outlook) is built to emphasize 'gee whiz' features like cool Javascript applets over security and reliability," Chapman said in an email. "I sit back and watch with amusement and horror at the unnecessary panic and wasted money and effort that is being spent in this battle."

Marc Maiffret, chief hacking officer at eEye Digital Security and the one responsible for discovering the IIS hole, said the publicity blitz launched by Microsoft and government officials a few days ago should have come much earlier, when the worm was dormant and system administrators had plenty of time to act.

"It's like they really waited until the last minute," Maiffret said. "They really should have been doing a lot more the last week and a half. . . A security patch shouldn't take a month to install."

Microsoft counters that it did all that was possible after learning of the hole, offering a patch and publicizing the issue. Spokesman Jim Desler said the company mobilized its technical account managers, alerted the press and sent a message to 160,000 people on the company's security email list.

"You can't reach everybody, but we reach as many as we possibly can," Desler said. "It's fortunate that we were able to do so, or the initial phase of Code Red would have been far more serious."

The security mailing list is voluntary, and another Microsoft representative said the company had no plans to try to email all product owners on security issues.

Desler said Microsoft is looking at ways to improve its notification process.

"We are always looking at ways to make the process more efficient," Desler said, although he did not have specifics on any new programs.

Others have questioned the whole approach of expecting software customers to, on their own, download and install fixes to prevent a particular issue.

The fact that so many system administrators have failed to install a patch for one of the most widely publicized security holes ever has led many to question the "patch and pray" approach to fixing buggy software.

Instead of fixing buggy software, the focus should be on locking down computer systems to prevent activity that could be compromising, said Randy Sandone, CEO of security software maker Argus Systems Group.

"I think people are getting pretty frustrated with the status quo," he said. "I think the answer is to inoculate your system from the get-go from these kinds of threats."

Christopher W Klaus, founder of software and services company Internet Security Systems, advocates an approach called "vulnerability scanning" that routinely examines computer systems for possible security threats.

"Companies really need a multilayered security approach," Klaus said. "It's Code Red today, but what's the threat going to be tomorrow?"

Microsoft's Desler noted that the software giant is not the only one whose products have holes, just a large company that goes public with potential problems.

"All software has vulnerabilities," Desler said. "Within the past month, (with) every major vendor there has been a significant security vulnerability discovered."

Nonetheless, Desler said Microsoft acklowedges it has "a particular responsibility" by virtue of its size.

But some say the publicity surrounding Code Red has only made the matter worse.

Rob Rosenberger, editor of the Vmyths.com news service, said the Code Red worm is a threat, but he argued against the climate of hysteria he sees developing.

"A panicky user can be as dangerous as the Code Red worm itself," Rosenberger said in a statement. He blamed the FBI's new National Infrastructure Protection Center for overhyping the problem.

"Vmyths.com believes they launched a 'Code Red publicity tour' largely to improve their image," Rosenberger said. "They suffered intense humiliation last week when (NIPC) Director Ron Dick faced an irate Senate subcommittee."

Editorial standards