graphic
News > Technology
Microsoft flaw debated
June 18, 1999: 2:03 p.m. ET

Small firm disclosed Web security problem before solution was ready
By Staff Writer John Frederick Moore
graphic
graphic graphic
graphic
NEW YORK (CNNfn) - A security flaw discovered in a Microsoft Corp. program -- one that has the potential of shutting down millions of Web sites -- has sparked controversy over when and how such problems should be disclosed to the public.
     Last week, the little-known security software firm eEye discovered a security flaw in a Microsoft (MSFT) product that runs millions of Web sites. After a week of communication between the companies, Microsoft released a temporary fix for the vulnerability. The software publisher released a permanent solution Friday morning.
     Microsoft said it hasn't received reports of any security violations.
     Nonetheless, Microsoft's Internet Information Server (IIS) contained a vulnerability that could allow hackers to shut down a company's Web server. IIS serves up Web pages for more than 1 million sites, including those run by barnesandnoble.com (BNBN) and the Nasdaq stock market.
     Intruders would also have the ability to access whatever information is stored in those servers, such as credit card numbers and other personal information. Microsoft, however, said the risk of such information getting into the wrong hands was minimal.
     "If you have a busy Web site, like barnesandnoble.com, you need one server that just serves out Web pages and other servers that handle other information," said Adam Sohn, a Microsoft spokesman. "Any responsible e-commerce site is built so that any confidential information is compartmentalized and locked down [on a separate server]."
     eEye's concern attracted the attention of Carnegie Mellon University's Computer Emergency Response Team (CERT), which issued an advisory Wednesday.
     Microsoft, however, was upset that eEye posted a program on Tuesday that exploits IIS' vulnerability.
     eEye said it took the action because Microsoft dragged its feet after being notified of the problem, adding that eEye had a responsibility to bring attention to the seriousness of the flaw.
     Microsoft, for its part, contends eEye acted irresponsibly.
     "We're disappointed," Sohn said. "As soon as they went public with the tool that exploits the issue, they put millions of IIS servers in jeopardy. We would rather to have had this fixed before they disclosed this problem to the world."
     The issue of whether to notify the public of a security flaw before a fix is available is largely philosophical. While corporations believe the public should be informed only after a fix is available, hacker types favor a more open approach.
     "If you ask our customers, they prefer we take a couple of extra days before we post a patch rather than have the public know about the problem," Sohn said.
     "We encourage everyone who discovers a security flaw to work with the vendor to develop a patch," said Shawn Hernan, an official at CERT's security team. "Whether or not vulnerabilities should be disclosed before a fix is ready is a philosophical matter that lots of people have debated. We don't have an official opinion."Back to top

  RELATED STORIES

What can be done about e-mail security flaws? - August 7, 1998

  RELATED SITES

Microsoft

eEye

CERT


Note: Pages will open in a new browser window
External sites are not endorsed by CNNmoney




graphic

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.
Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.