Microsoft accused of not stamping on bugs

The world's biggest software company is guilty of ignoring security vulnerabilities, says bug-hunter

Microsoft has been accused of ignoring a major security problem affecting its software by a independent security expert.

A European security consultant says that he alerted the software powerhouse to the problem months ago and was met with apathy.

Ante Kotarac, who operates the security Web site www.403-security.org, says that the problem affects Hyper Terminal, an application included with most versions of the Windows operating system that allows a user to establish a secure connection with another machine. Kotarac, known in the security field by the name Astral, says that he first contacted Microsoft about the vulnerability in November 2000 and has become frustrated by the company's lack of concern.

According to Kotarac, the vulnerability he has discovered would enable any hacker to hijack use a hyper terminal file sent in an email attachment to take control of a targeted computer system. Kotarac says that he contacted the Microsoft Security Response Center in November of last year.

"Every time they told me that security bulletin would be issued in the next few weeks, and that they will inform me every four to five days," he said. "Last time they contacted me was March and said, of course, it will be issued in the next few weeks."

To make matters worse, says Kotarac, Microsoft's attitude contrasts starkly with that of other software firms. "While working with other vendors in whose software I discovered security vulnerabilities there were no problems and their software was fixed in less than week," said Kotarac.

A spokeswoman for Microsoft in the UK was unable to confirm the existence of the vulnerability, but said Microsoft does not ignore security problems. "We do take all issues around security very, very seriously and everything reported is investigated thoroughly," she said. The spokeswoman said it is unclear why the incident may have taken so long to investigate.

Kenneth de Spiegeleire, manager of security assessment services for computer security firm Internet Security Systems (ISS), said that major software vendors, including Microsoft, have become better in recent years and now usually come up with fixes for problems in a matter of weeks.

Spiegeleire said some problems may, however, lie in the design of an application and therefore take far longer to fix. For this reason, he said it could be ill-advised to draw attention to such a vulnerability when there is no fix. "It is irresponsible," he said.

Kotarac, however, defends his decision to go public. "Microsoft cares about security, but not as much as it should," he says. "It's not fair for users."

Take me to ZDNet Enterprise

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.