Posted on 29-1-2003
Big
Face Big Egg
By John Schwartz, NYT, Jan 27, 2003
The frantic message came from the corporation's information
technology
workers: "HELP NEEDED: If you have servers that are nonessential,
please
shut down."
The computer system was under attack by a rogue program called
SQL Slammer,
which affected servers running Microsoft software that had not
been updated
with a patch — issued months ago — to fix the vulnerability.
The worm
hindered the operations of hundreds of thousands of computers,
slowed
Internet traffic and even disrupted thousands of A.T.M. terminals.
But this
wasn't happening at just any company. It was occurring at Microsoft
itself.
Some internal servers were affected, and service to users of
the Microsoft
Network was significantly slowed.
The disruption was particularly embarrassing for Microsoft,
which has been
preaching the gospel of secure computing. On Jan. 23, the company's
chairman, Bill Gates, sent a memo to customers describing progress
in
improving its products since he announced a "trustworthy computing"
initiative a year ago. "While we've accomplished a lot in the
past year,
there is still more to do," he wrote. He cited the hundreds
of millions
spent to shore up Microsoft's products, and its plans to deliver
more
secure products in the future. He also listed "things customers
can do to
help." The first item was "stay up to date on patches."
The paradox was not lost on computer security experts. "Microsoft
has been
blaming the users, saying they have to keep their patches up
to date," said
Bruce Schneier, founder and chief technical officer of Counterpane
Internet
Security Inc., a company that manages security for customers.
"On the other
hand, their own actions demonstrate how unrealistic that position
is."
A spokesman for Microsoft, Rick Miller, confirmed that a number
of the
company's machines had gone unpatched, and that Microsoft Network
services,
like many others on the Internet, experienced a significant
slowdown. "We,
like the rest of the industry, struggle to get 100 percent compliance
with
our patch management," he said. "We recognize — now more than
ever — that
this is something we need to work on. And, like the rest of
the industry,
we're working to fix it."
|