Microsoft also gets slammed by worm

Story Tools

VIDEO

CNN's Tom Mintier reports on the impact of the 'SQL Slammer' worm in South Korea, the world's most wired country. (January 27)

PLAY VIDEO

• Interactive: How 'Slammer' worm mounted its attack

• Who's to blame for massive Net attack?

• Pros track 'Slammer' worm

• Gates pledges better security

• Fortune.com: Worm attack could have been worse

• Business 2.0: Microsoft's global insecurity complex

PROTECT YOURSELF

• Business 2.0: Putting your Web servers under lock and key

• Microsoft Windows Update

• Microsoft's mailing list for network administrators

SEATTLE (AP) -- Microsoft Corp. itself was exposed to the virus-like attack that crippled global Internet activity last weekend because it failed to install crucial fixes to its own software on many Microsoft computer servers, according to internal e-mails obtained by The Associated Press.

Although Microsoft contends its failure to keep up with its own updates did not cause major problems, security experts said Monday it points to a larger issue: Microsoft's process for keeping customers' software secure is hugely flawed.

The virus-like attack, called "slammer" or "sapphire," exploited a known flaw in Microsoft's "SQL Server 2000" database software, used by businesses, government agencies, universities and others around the world. Microsoft had issued a patch for the flaw in July, but many -- including some units within Microsoft -- had failed to install it.

Didn't get around to it

The result was that the attacking software scanned for victim computers so randomly and so aggressively that it saturated many of the Internet's largest data pipelines, slowing e-mail and Web surfing around the world.

Microsoft spokesman Rick Miller declined to say which areas or how many computers at Microsoft were affected. He acknowledged that some servers were left unfixed because administrators "didn't get around to it when they should have."

The computer servers that hosted the software patch for download by users were not among those vulnerable to the worm, Miller said.

The disclosure comes less than a week after Microsoft Chairman Bill Gates marked progress on the company's "Trustworthy Computing" initiative. That effort, announced a year ago, made security a top priority at the Redmond, Wash.-based company. Microsoft put thousands of its developers through security training to emphasize writing secure code, and hired a chief security officer.

Not the first time

Miller said employees' failure to install patches on their computers does not reflect a lack of commitment to Gates' vision for secure computing.

"This is why we developed Trustworthy Computing," Miller said. "Not because we said when we came out with a memo that our work was done and it was over, but that we were beginning the process, and we were going to learn and we were going to make it better ... We're committed to getting there."


Microsoft chairman Bill Gates gestures as he addresses students during an award ceremony in Munich, Germany Tuesday.

This isn't the first time Microsoft has had its own computers attacked when it failed to install software fixes. In 2000, Microsoft was one of the victims of the "I Love You" virus which exploited a known flaw in its Outlook e-mail program.

But it's no surprise that many -- including Microsoft -- were vulnerable, said Bruce Schneier, chief technology officer with Counterpane Internet Security Inc.

Network administrators are dealing with several software patches each week from Microsoft and other vendors, he said.

WHAT IS A WORM?

A program that makes copies of itself -- for example, from one disk drive to another, or by copying itself using e-mail or another transport mechanism.

Source: Symantec

QUICKVOTE

Is the Internet too vulnerable?
Yes
No
VIEW RESULTS

"You can't possibly keep up with this," Schneier said. "There is a lot of frustration."

Admitting problems

He added that Microsoft needs to own up to problems with how it offers security fixes.

"On the one hand, Microsoft's been saying it's the customer's fault for not patching their networks," but the company's own failure to do so "show(s) how unrealistic that expectation is. It's very much like blaming the victim."

Although others contend software patches can be an effective way to provide security, Microsoft needs to make them easier, said Marc Maiffret, chief hacking officer of eEye Digital Security Inc.

SQL Server patches in particular can be difficult, time-consuming and error-prone to the point where they may cause the program to fail, Schneier said.

Miller acknowledged that the process isn't simple and could be improved. Although Microsoft wants to ensure that its software is built more securely from the start, he said 100 percent security is an elusive goal.

"There's never going to be a day when ... software that is developed by humans is flawless," he said.

Story Tools

Subscribe to Time for $1.99


Burgers, lattes and CD burners

• CNN/Money: Britney Spears No. 1 name used by hackers
• CNN/Money: Atari's future in question
• CNN/Money: Report: Cingular opposes calls on planes


CNN/Money: Security alert issued for 40 million credit cards

• Bin Laden deputy sends message
• U.S. House votes to keep U.N. dues
• Iran poll to go to run-off