CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

Microsoft server bug wrongly publicized?

Microsoft offers a temporary fix for a problem with its Web server software that lets attackers "inject" a program that can run on a Windows NT-based system.

Microsoft offered a temporary fix for a problem with its Web server software that lets attackers "inject" a program that can run on a Windows NT-based system.

In the meantime, the manner in which the bug was reported and publicized is generating controversy.

The bug attacks Internet Information Server, Microsoft's software for serving up Web pages. Putting the right type of malicious code into a page request can cause IIS to crash, or worse, let an attacker run whatever programming code he wants.

Firas Bushnaq, CEO of Eeye, today accused Microsoft of dragging its feet to solving the problem. His company alerted Microsoft on June 8, he said, but Microsoft told him to keep quiet about it. Bushnaq said he went public yesterday because he felt Microsoft wasn't doing anything to resolve the issue.

But Bushnaq didn't stop at just publicizing the bug, and that's where the controversy comes in: EEye posted a program that will exploit the weakness, a move Microsoft says runs contrary to established procedures for reporting and patching bugs.

Not surprisingly, Microsoft disputes Bushnaq's version of the story.

"You can send a 'malformed' or very long request to a Web server. It could cause a buffer overflow, which means you can embed application code that will execute on the server," Bushnaq explained of the bug.

"Anything that is residing on the Web server and everything connected to that--back-end databases, e-commerce information, credit card information--could be accessible," he continued. "It is extremely important for people to fix it."

"We've got a security response process that we set up a year ago so that customers would have a place to report bugs and so that we could respond to it quickly," countered Scott Culp, a security product manager for Microsoft. No confirmed problems occurring as a result of the bug have been reported, he said.

"For reasons we don't understand, at the beginning of this week they [Eeye] suddenly went public with the bug. It's contrary to all of the normal rules of responsible security professionals," he said. "You don't provide tools that malicious users can use to hurt innocent people."

Microsoft rushed to post a workaround to the problem, but a true fix to patch the bug is not yet available. The workaround will protect users from malicious or arbitrary code, Culp said.

"We're completing the patch right now, but we need to make sure that we've fully tested it. In the meantime, nobody needs to be vulnerable because of the workaround," he said.