Microsoft server bug wrongly publicized?

Microsoft offers a temporary fix for a problem with its Web server software that lets attackers "inject" a program that can run on a Windows NT-based system.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors | Semiconductors | Web browsers | Quantum computing | Supercomputers | AI | 3D printing | Drones | Computer science | Physics | Programming | Materials science | USB | UWB | Android | Digital photography | Science Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
2 min read
Microsoft offered a temporary fix for a problem with its Web server software that lets attackers "inject" a program that can run on a Windows NT-based system.

In the meantime, the manner in which the bug was reported and publicized is generating controversy.

The bug attacks Internet Information Server, Microsoft's software for serving up Web pages. Putting the right type of malicious code into a page request can cause IIS to crash, or worse, let an attacker run whatever programming code he wants.

Firas Bushnaq, CEO of Eeye, today accused Microsoft of dragging its feet to solving the problem. His company alerted Microsoft on June 8, he said, but Microsoft told him to keep quiet about it. Bushnaq said he went public yesterday because he felt Microsoft wasn't doing anything to resolve the issue.

But Bushnaq didn't stop at just publicizing the bug, and that's where the controversy comes in: EEye posted a program that will exploit the weakness, a move Microsoft says runs contrary to established procedures for reporting and patching bugs.

Not surprisingly, Microsoft disputes Bushnaq's version of the story.

"You can send a 'malformed' or very long request to a Web server. It could cause a buffer overflow, which means you can embed application code that will execute on the server," Bushnaq explained of the bug.

"Anything that is residing on the Web server and everything connected to that--back-end databases, e-commerce information, credit card information--could be accessible," he continued. "It is extremely important for people to fix it."

"We've got a security response process that we set up a year ago so that customers would have a place to report bugs and so that we could respond to it quickly," countered Scott Culp, a security product manager for Microsoft. No confirmed problems occurring as a result of the bug have been reported, he said.

"For reasons we don't understand, at the beginning of this week they [Eeye] suddenly went public with the bug. It's contrary to all of the normal rules of responsible security professionals," he said. "You don't provide tools that malicious users can use to hurt innocent people."

Microsoft rushed to post a workaround to the problem, but a true fix to patch the bug is not yet available. The workaround will protect users from malicious or arbitrary code, Culp said.

"We're completing the patch right now, but we need to make sure that we've fully tested it. In the meantime, nobody needs to be vulnerable because of the workaround," he said.