News > Technology
Microsoft flaw debated
June 18, 1999: 2:03 p.m. ET

Small firm disclosed Web security problem before solution was ready
By Staff Writer John Frederick Moore
graphic graphic
NEW YORK (CNNfn) - A security flaw discovered in a Microsoft Corp. program -- one that has the potential of shutting down millions of Web sites -- has sparked controversy over when and how such problems should be disclosed to the public.
     Last week, the little-known security software firm eEye discovered a security flaw in a Microsoft (MSFT) product that runs millions of Web sites. After a week of communication between the companies, Microsoft released a temporary fix for the vulnerability. The software publisher released a permanent solution Friday morning.
     Microsoft said it hasn't received reports of any security violations.
     Nonetheless, Microsoft's Internet Information Server (IIS) contained a vulnerability that could allow hackers to shut down a company's Web server. IIS serves up Web pages for more than 1 million sites, including those run by (BNBN) and the Nasdaq stock market.
     Intruders would also have the ability to access whatever information is stored in those servers, such as credit card numbers and other personal information. Microsoft, however, said the risk of such information getting into the wrong hands was minimal.
     "If you have a busy Web site, like, you need one server that just serves out Web pages and other servers that handle other information," said Adam Sohn, a Microsoft spokesman. "Any responsible e-commerce site is built so that any confidential information is compartmentalized and locked down [on a separate server]."
     eEye's concern attracted the attention of Carnegie Mellon University's Computer Emergency Response Team (CERT), which issued an advisory Wednesday.
     Microsoft, however, was upset that eEye posted a program on Tuesday that exploits IIS' vulnerability.
     eEye said it took the action because Microsoft dragged its feet after being notified of the problem, adding that eEye had a responsibility to bring attention to the seriousness of the flaw.
     Microsoft, for its part, contends eEye acted irresponsibly.
     "We're disappointed," Sohn said. "As soon as they went public with the tool that exploits the issue, they put millions of IIS servers in jeopardy. We would rather to have had this fixed before they disclosed this problem to the world."
     The issue of whether to notify the public of a security flaw before a fix is available is largely philosophical. While corporations believe the public should be informed only after a fix is available, hacker types favor a more open approach.
     "If you ask our customers, they prefer we take a couple of extra days before we post a patch rather than have the public know about the problem," Sohn said.
     "We encourage everyone who discovers a security flaw to work with the vendor to develop a patch," said Shawn Hernan, an official at CERT's security team. "Whether or not vulnerabilities should be disclosed before a fix is ready is a philosophical matter that lots of people have debated. We don't have an official opinion."Back to top


What can be done about e-mail security flaws? - August 7, 1998





Note: Pages will open in a new browser window
External sites are not endorsed by CNNmoney