A newsletter devoted to bug reports sparked a hacker scare today by reporting that Microsoft's Web servers are vulnerable to attacks, but company officials downplayed the threat because the security problem is a rare one that results from improper server configuration.
BugNet reported that two Microsoft Web servers--the FrontPage Personal Web Server and Internet Information Server--contain holes that could make them insecure, including a breach that would make it possible for hackers to reformat server hard drives.
The report by BugNet warns users against configuring the Microsoft servers in a way that could open those holes. That, however, could happen only if Web administrators do something they're not supposed to do: putting a Perl interpreter and scripts--software that is often used to connect Web servers to databases--in a Web server's "cgi-bin" directory.
If an administrator makes this mistake and this gets discovered by a hacker, that person could run a program available on the Net called Latro and open the door for malicious Net surfers to execute potentially damaging commands on the server.
Microsoft officials pointed out that this problem is true of all Windows Web servers, not just theirs. They also asserted that the vast majority of Webmasters know that this server set-up is a no-no. "This is not a bug," declared Mike Angiulo, program manager at Microsoft.
Still, the Computer Emergency Response Team issued a more general alert May 29 that did not mention any specific companies but warned against setting up Web servers with Perl programs in the wrong directories.