The biggest computer bugs of 1999!

Viruses and security holes actually caused real damage during the year, not the mere hype we'd seen before. Everyone knew Melissa, but that wasn't even the year's worst bug.
Written by Robert Lemos, Contributor
The year 1999 may forever be known as the Year of Melissa.

The e-mail macro virus caused a week of havoc and overtime at major companies across the United States after it struck in late March. But that very visible virus ranked only second on ZDNN's list of worst computer glitches for 1999.

At No. 1? Two security holes that have drawn relatively little media attention, but have let Internet intruders into military systems and onto the Nasdaq Web site.

Two bugs, many hacks
Known as the ColdFusion exploit and the Internet Information Server's Remote Data Service bug, the two server glitches were discovered in 1998, but only this year have they been fully exploited. Together the two bugs account for hundreds of known incidents in which a Web server has been compromised.

How bad were they?

PCWeek reported that more than 100 sites have been hit by attackers using the ColdFusion exploit. Russ Cooper, editor of Windows NT security watchlist NTBugTraq, said that the IIS RDS bug is "perhaps responsible for the majority of the Web page defacements this year."

The damage done by attackers exploiting the two holes is unknown. Perhaps worse, however, is that the security community has known about the problems and even issued patches, but lax system administrators have not fixed their systems.

"The state of security these days is due to the fact that the only check on the software vendors is customer complaints," said Weld Pond, a white-hat hacker for security group L0pht Heavy Industries, who asked to be identified by his handle. "I guess not enough people are complaining. ...What a mess."

Privacy gains prominence
Consumers' privacy also became a big issue in information security this year.

"Privacy was always related to information security," said Jason Catlett, president of pro-privacy Junkbusters Corp. "But I think 1999 was the year when lots of people really started taking Internet privacy personally. We have moved our lives into a place that isn't very secure or private, so everyone's understandably feeling kind of nervous and uncomfortable."

Most notable among the flaws: A security hole in Hotmail that allowed anyone with a valid login name access to Hotmail users' e-mail.

Some of the other privacy "bugs" were -- and, in some cases, still are -- considered features by the companies that created the products. Intel's Pentium III processor serial number and the global unique identifier are examples of double-edged features that can be exploited.

Here's how ZDNN rated the software -- and hardware -- missteps of 1999:

No. 10: Deja News records e-mail traffic
In April, independent security consultant Richard Smith (then president of Phar Lap Software Inc.) discovered that Internet e-mail search site Deja News recorded the e-mail addresses of the sender and recipient of e-mail sent through its service.

Deja News executives told Smith that the data is logged as a standard practice and that they had no intention of keeping the records.

However, like many cases, the existence of the data is cause enough to fear for privacy, said Smith in a previous ZDNN interview. Armed with a subpoena, law enforcement officials and even civil lawyers pursuing, say, a divorce case can open up the records.

A week later, Deja News stopped collecting the information.
Deja News privacy snafu uncovered
Deja News to stop tracking addresses
Can you trust TRUSTe?

No. 9: Intel processor serial number
Hoping to make computers more e-commerce-friendly, PC processor maker Intel Corp. (Nasdaq: INTC) added a unique ID to its Pentium III family of processors, announced in January.

As first reported by ZDNN, the electronic ID scheme worried privacy advocates as an unregulated technology that could be used as a Social Security number on the Net.

Later, evidence showed that despite Intel's best efforts, the ID feature could not be turned off in the face of an attacker determined to get the computer's ID.

Furthermore, encryption expert Bruce Schneier -- a co-creator of one of the algorithms that may become the United States' official next-generation encryption scheme - claimed that the method of asking a PC for its serial number is not secure and so the serial number -- in Intel's mind, the user's identity -- can be spoofed.

While Intel agreed to ship Pentium III chips with the ID turned off, the processor serial number continues to be included in its Pentium III processors.
Intel to electronically ID chips
Why Intel's ID tracker won't work
Intel blink: ID tracker will be off initially

No. 8: AOL Instant Messenger buffer overflow
Last summer, Internet service provider America Online Inc. (NYSE: AOL) and software giant Microsoft Corp. (Nasdaq: MSFT) engaged in a knock-down fight over whether other companies' (read: Microsoft's) products could connect to AOL's Instant Messenger service.

As America Online continued to modify its service to block Microsoft's attempts to use it, an allegedly "independent" consultant claimed AOL was using a security hole in its software to aid in blocking Microsoft.

The hole -- known as a buffer overrun, or overflow, error -- tricks a computer into running commands by sending more data than the machine is expecting. While this behavior helped AOL run a check of which software the user was running -- AOL's or Microsoft's -- it also could have let a malicious attacker using the hole gain entry to a IM user's PC.

Microsoft burned any public relations value in the incident when it turned out that the "independent" consultant, who contacted security consultant Richard Smith with the news, turned out to be using a Microsoft server and was assumed to be an employee of the company.

Still, the buffer overflow error was real, and was later patched by America Online. Since then, Microsoft has backed off in its attempts to co-opt AOL's service.
Is AOL hacking IM users?
ZDNN Special: Instant Mess
Did Microsoft employee smear AOL?

No. 7: IE 5 flaws rampant
Microsoft's Internet Explorer had a good year in the market, but security-wise it had a bad 1999. Every two months or so, someone found a new flaw in the software.

In April, Microsoft released a patch to fix three IE errors. The following month, the giant software maker released another patch for two more holes. In August, the company patched two more bugs in its scripting service that opened its browser to attack by e-mail worms.

Many other buffer overrun flaws in Internet Explorer were also publicized this year. While the Netscape browser has had its share of problems as well, Internet Explorer bugs are particularly bad. Why? "The problem is that IE is integrated into Windows," said NTBugTraq's Cooper.

In addition, Netscape pays bug sleuths a bounty of $1,000 to turn in bugs to it, rather than the press, said Cooper. "In some ways, IE 5 bugs are more indicative of reporting than reality," he said.
IE5.0 security hole exposed
Hole opens Office 97 users to hijackers
IE, JVM users sweat out flaws

No. 6: CIH frenzy: Real or not?
With its taste whetted by the Melissa virus, the media had little trouble finding a new villain in the much more malicious virus known as CIH.

CIH infected computers through traditional modes -- attaching itself to files and spreading when those files were sent to or opened on another computer. The variant seen by most users triggered on the 26th of every month and deleted the formatting information in the first megabyte of disk space and then tried to delete the motherboard critical information.

After more than a year, most thought the computer virus had run its course. The main variant seemed under control, and the publicity surrounding the Melissa virus caused many computer users to update their virus protection.

But on April 26, the original variant struck. In the U.S., the damage seemed to be limited to students at American universities. Students reportedly lined up at campus computer centers to fix PCs with reformatted hard drives.
CIH virus finds a few victims
CIH computer virus toll tops 540,000
Taiwanese university reveals CIH author

No. 5: Global unique identifier
Following the Intel processor serial number debacle, unique identifiers that could match up information with a person's PC became data non grata on the Web.

The frenzied search for other such identifiers stopped when former Phar Lap president Richard Smith (who had a hand in uncovering four of this year's top-ten bugs) publicized the existence of another identifier -- this time a software ID.

Known as the global unique identifier, or GUID, the number is created by using the serial number of the Ethernet adapter card -- or a random number on PCs with no adapter card -- and is inserted into files created by word processors, spreadsheets and many other applications.

Around since the mid-1980s, GUIDs did not have their tracking ability publicly tested until the Melissa virus struck. Richard Smith, ZDNN and several others attempted to track the author of the virus by using the GUID to match files created by virus writers to specific Web site. The FBI and New Jersey state authorities tracked the alleged author, David L. Smith, by more traditional methods.

Still, other cases of using the GUID to track users use of applications arose in 1999. In late October, Smith discovered that Real Networks' new RealJukebox digital music software recorded users' GUID along with their music preferences, giving the company the ability to match up people with their music.

The next-generation Internet protocol known as IPV6 has extensive identifier technology built in and other Internet companies have used serial numbers and cookies to track users preferences.

Not all agree that the GUID is a bad thing, however. "Whether it is a GUID or a procID, we need a way to track bits on the Internet," said NTBugTraq's Cooper.
MS admits Windows privacy flaw
Rights groups call for ID tracking laws
RealNetworks rewrites privacy policy

No. 4: 'Exploding' e-mail
Highlighting the insecurities of today's Internet e-mail, security historian and virus industry cynic Rob Rosenberger in August quietly unveiled a technique to bring e-mail servers to a crashing halt.

The method essentially takes advantage of several assumptions that e-mail gateway software makes regarding attached e-mail files. The anti-virus industry critic likened the attacks to the Ping of Death -- a simple, yet effective, method to crash a server that reared its head in 1996. "The Ping of Death is an unanticipated ping. This is an unanticipated e-mail," he said.

Pings are used to test a network to see if an Internet address is valid. Attackers that added enough bytes onto the data to make the ping overlong could make servers crash, gaining the technique the name Ping of Death.

Likewise, Rosenberger created files that violated established protocol: COM files of zero length, Zipped files with no content, and other techniques. To the server, these methods don't make a difference, but many anti-virus and content scanners freeze when they scan such a file. The problem: When the scanners die, they take the servers with them.

While several industry insiders had problems with the way Rosenberger announced the flaws -- and the fact that he targeted anti-virus software, few disputed the efficacy of the techniques.
E-mail flaws threaten Net security
Computer Virus Myths: Rosenberger discusses e-mail flaw
Security expert blasts shoddy software

No. 3: Hotmail e-mail security hole
In late August, a modified version of an application created by Michael Nobilio, a programmer at the Swedish Web design company PIPE, exploited a hole in Hotmail.com.

Hotmail is a free e-mail service that lets users check messages from multiple locations and accounts. Microsoft bought the service in December 1997.

The hole -- caused by sloppy CGI code -- allowed anyone submitting a command in the proper format to access any valid account. Microsoft said the hack required "very advanced knowledge," while privacy experts called it "pathetically easy."

While it was unclear how many of Hotmail's 40 million to 50 million users were affected, or for how long, during the days that people knew about the problem, many hackers-for-a-day peeked at co-workers' e-mail accounts and even those of Microsoft execs, according to e-mail received by ZDNN.

On Sept. 1, Microsoft recognized the problem and plugged the hole.

A member of the self-regulating industry organization known as TRUSTe, Microsoft brought in a security firm to audit Hotmail. Soon after, Microsoft declared the free e-mail service cured, but refused to open the final report card to Hotmail users.
ZDNN Special: Hotmail in the hotseat
Report: MS took 10 hours to fix breach
Hotmail users feeling burned

No. 2: Melissa Virus
On Friday, March 26, e-mail servers at Microsoft, Intel and Lucent Technologies, to name just a few, went down as the fastest spreading virus to date started flooding corporations with tens of thousands of e-mails.

Melissa had arrived.

The Word macro virus infected computers by convincing the user to click on an e-mail attachment. Once activated, the virus attached itself to the Word template document -- the foundation for all new Word documents -- and then sent copies of itself to the first 50 address book entries of those victims who used Microsoft's Outlook e-mail client.

Over the weekend, reports of infections poured in, as Melissa flooded e-mail gateways. While the virus was relatively benign, the cost in overtime pay for companies, not to mention its sheer speed in spreading throughout the Net, gave the little macro virus a very high profile.

On Sunday, March 28, the FBI staged a press event, announcing the danger of the virus to companies and its intention to hunt down the writer of the virus.

By the end of the week, the FBI had arrested a suspect, David L. Smith, who had been connected to the release of the virus through phone information provided by America Online Inc.

Since the virus doesn't damage the computer (though several variants could), most consumers were unaffected, and Melissa was nothing except a good reason to upgrade anti-virus software.

"No consumer's computer was ever hurt by Melissa," said Rob Rosenberger, editor of the Computer Virus Myths Web page. "It was a corporate nightmare, however."
Melissa virus triggers manhunt
ZDNN Special: Melissa's Rampage
Officials: AOL info cracked virus case

No. 1: ColdFusion and RDS flaws
While not the year's top media story, two similar flaws in major Web application servers were the root cause behind many media stories in 1999.

These two flaws were "perhaps responsible for the majority of the Web page defacements this year," according to NTBugTraq's Russ Cooper.

Given their names and the technical nature of the exploits, it's no wonder that neither flaw became a media darling. Yet, both are serious, and in many cases, both remain unfixed in Internet servers Webwide.

The vulnerability in Allaire Corp.'s ColdFusion application server enables network attackers to gain access to all the data stored on the Web server and, in the process, install software to create a back door into the rest of the network.

The hole in Microsoft's Remote Data Services for its Internet Information Services software -- using built-in database commands -- allows any user with a browser to send commands to a Web server. Through the Web server, the attacker could then get control of other parts of a corporate network.

Both NTBugTraq and security experts at the white-hat hacking group known as The L0pht reported the problem. "For e-commerce servers this puts transaction logs, credit card numbers and customer information potentially at risk. There is even e-commerce shopping cart software that stores administrative passwords in the clear in text files," said the L0pht in a May 7 advisory.

Perhaps the worst aspect of the problem: It could have largely been avoided.

"Huge corporations are not taking security measures," said NTBugTraq's Cooper. "They were told ages ago and still have not done anything about it. "

"We don't know what information was stolen as a result of people exploiting this," he added. Most likely, both problems will continue to plague system administrators in the new year.
ColdFusion customers put Allaire on hot seat
IIS RDS Vulnerability
IIS, Site Server vulnerable to hackers

Editorial standards