Code Red puts Microsoft in hot seat

It was a scene that would be familiar to officials at Bridgestone/Firestone Inc. An executive from Microsoft watched as a government official told a gathering of reporters that there was a serious problem with a Microsoft product.

Ronald Dick, director of the U.S. Federal Bureau of Investigation's National Infrastructure Protection Center, this week warned that the Code Red computer worm was spreading rapidly across the Internet for the third time in less than three weeks. It was taking advantage of a vulnerability discovered in the Web server software that runs on Microsoft's popular Windows 2000 and NT operating systems. The health of the Internet and e-commerce was at stake, the government warned.

But unlike the case with faulty tires from Firestone, Microsoft's problem wasn't life-threatening, and it didn't lead to a massive product recall. Instead, it cost businesses around the world more than US$1 billion, according to some estimates, and hundreds of man-hours to fix. That has led some users and experts to argue that it's time to demand more secure software from vendors.

"Do we have to wait until someone gets killed?" asked Jack Ring, owner of Innovation Management, an IT consulting firm in Scottsdale, Ariz., in a letter to Computerworld. "[It] must be nice to be a billionaire, but can it feel good when the billion is what others are losing by using your products?"

Because of the security issues associated with Microsoft software, "we are looking at other technologies," said a chief technology officer at a pharmaceutical supply company in the Northeast who requested anonymity. "There are other Web servers out there. Microsoft's customers have to demand better software."

Robert Odom, chief operating officer at AFAB International Inc., a security equipment reseller in Fort Lauderdale, Fla., said that because of security concerns, his company has completely removed Microsoft Outlook from its systems and has removed "as much of [Internet Explorer] as we can."

Microsoft issued 100 security bulletins last year related to its software and 42 so far this year, according to information on its Web site. Even so, Steve Lipner, manager of Microsoft's Security Response Center and chief of the Secure Windows Initiative, said the company undertakes a massive effort to find security flaws in products "before they get out the door."

The centerpiece of the effort, said Lipner, is a program called Prefix. It scans the entire code base of the Windows operating system and all Office products for potential vulnerabilities. When one is found, Prefix identifies the "offending coding practice that caused the vulnerability," he said. It's an effort that represents a "significant investment" across the company and one that "absolutely has commitment from the top," Lipner said.

That begs the question of how yet another flaw in Microsoft's Internet Information Services software made it out the door.

"Security and software development are human endeavors where mistakes are going to happen," Lipner said.

Yet there is concern because critical services such as the Federal Aviation Administration, medical services and the electric power grid are increasingly using commercial software. And the fear, based on the Microsoft experience, is that some of this software could be unreliable and full of security holes.

It's only a matter of time before consumers and businesses start to demand more reliable and secure software, said Dave McCurdy, executive director of the Internet Security Alliance in Arlington, Va. "When health and safety concerns are raised, then there are going to be higher expectations of accountability," he said.

"People have every right to expect reliable, secure software," said Jay Nickson, a security trainer at Ronin Software Group in West Chesterfield, N.H. He added that developers should be responsible if errors in their software result in lost profits, lost hours or bodily harm. He even suggested that it might be time for a "software users' bill of rights."

But Alan Paller, director of the SANS Institute, a security research organization in Bethesda, Md., said that's a long shot. A routine check of the terms of the agreement included with every shrink-wrapped package of software from Microsoft and other developers would show that users "have no rights at all," he said.

Join the newsletter!

Error: Please check your email address.

More about BridgestoneFederal Aviation AdministrationFederal Bureau of InvestigationInternet Security AllianceMicrosoftSANS InstituteThe SANS Institute

Show Comments