To Fix Software Flaws, Microsoft Invites Attack

Posted by bink on September 29 2003, 10:52 PM. Posted in Security.

Microsoft's Security Response Center in Redmond, Wash., is the computing equivalent of a hospital emergency ward. When a problem comes in the door the center's director, Kevin Kean, and his staff must swiftly make an assessment: Is the security weakness detected in a Microsoft software product only minor? Or is it possibly so serious that, if exploited by a vandal's malicious code (as happened last month with the Blaster worm) it might crash computers and networks around the world?

If the threat appears grave, the problem goes immediately into the center's emergency operating room, where it is attended to by a team of Microsoft engineers, working nearly round-the-clock to analyze the flawed code, anticipate paths of attack, devise a software patch to fix the defect and alert millions of customers of the problem and the patch.

"It's triage and emergency response — so it's a lot like an E.R. ward in that sense," Mr. Kean observed last week.

The race to protect the computing patient has begun again.

On Sept. 10, after Mr. Kean's team completed another E.R. mission, Microsoft issued an emergency warning of a critical vulnerability in its Windows operating systems and released a patch — its 39th so far this year. What particularly worries computer professionals about the warning is that the security hole in Windows is the same kind of flaw, in the same feature of the operating system, that was exploited in August by the notorious Blaster worm.

Those who monitor Internet crises know that once Microsoft raises the alarm and releases a patch, a curious race begins. Digital vandals — those who write worms, viruses and other rogue programs — eagerly download the patch and reverse-engineer, taking it apart to search for clues on how to exploit the very Microsoft security hole the patch was meant to cover.

Some portion of Microsoft customers, from corporations to home PC users, takes the time to download the patch, but most do not. Meanwhile, there is a scramble to write malicious code and spread it across the Internet.

The Blaster worm was sighted on the Internet 25 days after Microsoft warned of that security hole. The company issued the latest warning 19 days ago. So if recent history is a guide, Blaster 2 may be coming soon to a computer near you.

The brand-name worms and viruses of the last couple of years — Blaster, SoBig, Slammer, Code Red, Nimda, ILoveYou and others — are simply the most virulent representatives of an alarming surge in attacks by malicious programmers.

The CERT Coordination Center at Carnegie Mellon University, which monitors rogue computer programs, reported 76,404 attack incidents in the first half of this year, approaching the total of 82,094 for all of last year. And the 2002 incident count was nearly four times the total in 2000. If anything, the CERT statistics may understate the problem, because the organization counts all related attacks as a single incident. A worm or virus like Blaster or SoBig, a self-replicating program that can infect millions of computers, is but one event.

The security flaws Mr. Kean's team is scrambling to catch and patch are part of the larger problem with software today. The programs that people rely on for all manner of tasks — from writing reports and sending e-mail, to monitoring factory floors and managing electric power grids — are becoming increasingly large, complex and, all but inevitably, filled with bugs. The problem is magnified by the fact that most computers are now linked to the Internet, enabling programs to travel around the globe and mingle with other programs in unforeseen ways.

Most software bugs are a result of small oversights by a programmer. And most large software programs are combinations of newer code and old code, accumulated over time, almost as if in sedimentary layers. A programmer working years ago could not have foreseen the additional complexity and the interaction of software programs in the Internet era. Yet much of that old code lives on, sometimes causing unintended trouble.

Continue at NY Times