Firm Pushes Microsoft to Fix Program Security Flaw

One full week after learning of a serious security flaw in its Internet software, Microsoft has offered a temporary fix for the problem--but it moved only after a Corona del Mar security company publicized the flaw, raising new questions about how the software giant treats security gaps in its products.

The flaw in Microsoft’s Internet Information Server 4.0--a program used to host Web sites--allows anybody with a browser to penetrate the computer and “copy files, delete files, and download anything from any part of the [corporate] network as if you were sitting at that computer,” said Firas Bushnaq, chief executive of ECompany.com, the firm that raised the first alarm.

Other monitors of Web security also saw the flaw as serious.

“The potential problems are very high, but so far we have heard of no case of anyone exploiting it,” said Shawn Hernan, who handles vulnerability issues at the CERT Coordination Center, a security organization at Carnegie-Mellon University in Pittsburgh. Hernan said CERT has rated the flaw a 95, which means it is more serious than 95% of all reported security problems.

For its part, Microsoft said it tries to avoid publicizing security problems in its software until it has a repair, or “patch,” ready, lest it spread awareness of the flaw.

Scott Culp, a Microsoft security product manager, on Wednesday called Bushnaq “irresponsible” for not only publicizing the flaw but posting on the Web “a tool that makes it easy for bad people to attack innocent Web sites.”

Bushnaq said his company chose to take the action because Microsoft wasn’t taking the problem seriously.

Earlier this month, while testing a new product called Retina that checks computer networks for vulnerabilities, ECompany.com discovered that the Microsoft software could be susceptible to a “buffer overflow,” a well-known and common flaw. The flaw can be exploited by users who transmit a string of several thousand characters to a program, spilling over into and overwriting parts of the computer memory allowing the outside user to take control of the target machine.

If the computer is not properly isolated from the rest of a corporation’s network, the user can “sniff” out passwords on computers throughout the network.

Bushnaq said ECompany told Microsoft about the problem June 8. Two days later, Microsoft said it had written a patch but wanted to wait before posting it. On Sunday and again on Monday, ECompany asked Microsoft for an update; after receiving no response Monday, ECompany publicized the problem, then took the more radical step of distributing a program that could help users exploit the flaw to invade other networks.

Bushnaq said he did so to force Microsoft’s hand. If people didn’t find out about the problem, he said, someone was bound to use the hole to do real mischief. “Our credibility was on the line.”

Microsoft’s Culp said the company wanted to properly test its patch before taking the issue public.