Microsoft Failed To Patch Own Software Against Worm

Although Microsoft contends its failure to keep up with its own updates did not cause major problems, security experts said Monday it points to a larger issue: Microsoft's process for keeping customers' software secure is hugely flawed.

The virus-like attack, called "slammer" or "sapphire," exploited a known flaw in Microsoft's "SQL Server 2000" database software, used by businesses, government agencies, universities and others around the world. Microsoft had issued a patch for the flaw in July, but many -- including some units within Microsoft -- had failed to install it.

The result was that the attacking software scanned for victim computers so randomly and so aggressively that it saturated many of the Internet's largest data pipelines, slowing e-mail and Web surfing around the world.

Microsoft spokesman Rick Miller declined to say which areas or how many computers at Microsoft were affected. He acknowledged that some servers were left unfixed because administrators "didn't get around to it when they should have."

The computer servers that hosted the software patch for download by users were not among those vulnerable to the worm, Miller said.

The disclosure comes less than a week after Microsoft Chairman Bill Gates marked progress on the company's "Trustworthy Computing" initiative. That effort, announced a year ago, made security a top priority at the Redmond, Wash.-based company. Microsoft put thousands of its developers through security training to emphasize writing secure code, and hired a chief security officer.

Miller said employees' failure to install patches on their computers does not reflect a lack of commitment to Gates' vision for secure computing.

"This is why we developed Trustworthy Computing," Miller said. "Not because we said when we came out with a memo that our work was done and it was over, but that we were beginning the process, and we were going to learn and we were going to make it better ... We're committed to getting there."

This isn't the first time Microsoft has had its own computers attacked when it failed to install software fixes. In 2000, Microsoft was one of the victims of the "I Love You" virus which exploited a known flaw in its Outlook e-mail program.

But it's no surprise that many -- including Microsoft -- were vulnerable, said Bruce Schneier, chief technology officer with Counterpane Internet Security Inc.

Network administrators are dealing with several software patches each week from Microsoft and other vendors, he said.

"You can't possibly keep up with this," Schneier said. "There is a lot of frustration."

He added that Microsoft needs to own up to problems with how it offers security fixes.

"On the one hand, Microsoft's been saying it's the customer's fault for not patching their networks," but the company's own failure to do so "show(s) how unrealistic that expectation is. It's very much like blaming the victim."

Although others contend software patches can be an effective way to provide security, Microsoft needs to make them easier, said Marc Maiffret, chief hacking officer of eEye Digital Security Inc.

SQL Server patches in particular can be difficult, time-consuming and error-prone to the point where they may cause the program to fail, Schneier said.

Miller acknowledged that the process isn't simple and could be improved. Although Microsoft wants to ensure that its software is built more securely from the start, he said 100 percent security is an elusive goal.

"There's never going to be a day when ... software that is developed by humans is flawless," he said.

AP Technology Writer Ted Bridis contributed to this story from Washington.

Copyright © 2000 The Associated Press