CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

Microsoft patches bug

The company apparently fixes a bug in its server software that had been exploited by hackers to cut off access to its Web site.

Microsoft (MSFT) has apparently fixed a bug in its server software that had been exploited by hackers to cut off access to the company's Web site.

The software giant posted a patch for the hole that Netizens could download. Microsoft also provided a detailed explanation of the hacking, labeled a "denial of service" attack, which had jammed its site since Thursday.

"Two issues combined Friday to cause problems for customers attempting to access our site. One was the scheduled upgrading of our system; another was a hacker's attack," Microsoft said on its home page, which was accessible this morning. "Read about the upgrade and how we've created a fix for a bug used by the hacker."

The incident, reported yesterday by CNET's NEWS.COM, quickly became a high-profile embarrassment for the world's largest software maker. Microsoft's site is one of the most popular on the Web, drawing millions of hits a day.

Hackers apparently took advantage of a bug in Windows NT 4.0 running Microsoft's Internet Information Server 3.0, in which the entire site was jammed by people typing a specific URL into their Web browsers repeatedly, according to Mike Nash, director of marketing for Windows NT server.

Hackers sent Microsoft an email at about 4 p.m. Thursday, Nash said. Engineers immediately developed a patch and posted it late Friday night.

"Hackers made us aware of a problem that they had identified," Nash said. "It is possible to develop a URL--a string of characters in a browser--that could cause interruption of service on a Web server." (The site remained available through an alternative IP address.)

Someone identified as Todd Fast says on his site that he inadvertently discovered the bug "while examining the parameters of an URL Microsoft's Internet Information Server (IIS) would accept without an error."

"This is a hugely embarrassing bug for Microsoft, in my opinion, particularly since they've just been lauded for pulling ahead of Netscape in the Web server market," Fast wrote. "Knowing that anyone with a grudge and a twitchy keyboard could shut down any of their customer's Web sites must bear horribly on their collective conscience."

Company representatives originally said that the problem was caused by busy servers and that users should expect delays through the end of the month.

The problem was exacerbated by what Microsoft spokesman Adam Sohn called "phenomenal growth."

In other words, not everyone who tries to access the site will get onto it every time. The problem is compounded by Internet routing jams and individual jams at Internet service providers, Nash said.

The relative few who were able to get to the home page yesterday were greeted with the following message: "We're upgrading; our apologies in advance due to growth...Over the next few weeks, some users may see some interruption in service. Read what's happening!"

The "Read what's happening" had a link, presumably to a story, but people had trouble getting to that link.

The outage and problems have angered some Web surfers who have been trying to get onto the pages. Some, who presumably did not yet know the cause of the outage, used the problems to criticize the company's Web server software. "Maybe they should have bought Linux," one reader sarcastically wrote to NEWS.COM.

"They have so many bugs in their software, so why use it?" asked Ben Efros, a Webmaster who also wrote in. "Microsoft is just a large company going nowhere on the Internet."

But others came to the defense of Microsoft, saying that despite the bug, its server software was superior to others.