Code Red and bad code

The Code Red episode highlights Microsoft's continued failings on Internet security.

The Code Red episode highlights Microsoft's continued failings on Internet security

Regular readers of this column may have noticed that the lead news story is often an advisory from the Computer Emergency Response Team (CERT). However lacking in variety this may be, it reflects the central importance of security in a connected world.

According to some troubling new statistics from CERT, there have been almost as many alerts and advisories in the first six months of this year as there were in the whole of 2000.

CERT also broke new ground with the special Code Red Alert that it sent out at the end of July, headed dramatically "a very real and present threat to the Internet".

The saga began back in June, when CERT issued an advisory about a serious vulnerability in Microsoft's Indexing service that often runs alongside its Internet Information Server 5.0 (IIS). As the excellent technical details explain, this potentially allows a remote intruder to run arbitrary code on a compromised machine.

A month later, CERT was warning of a worm -- self-propagating code -- that exploited this vulnerability to deadly effect. It was dubbed Code Red by the discoverers, who provided another thorough technical discussion.

Microsoft, meanwhile, had come up with a patch. But, as the Code Red Alert from CERT demonstrated, it was feared that the Code Red worm was far from quelled. Microsoft itself joined in the warning, and issued a press release to accompany it.

Although Microsoft expresses the same sense of concern that the Code Red worm may infect even more than the estimated 250,000 machines hit the first time, there is one striking omission in the document. There is not the slightest hint of an apology from the company for causing all this trouble through its own errors.

Perhaps Microsoft thinks that having produced a patch for its faulty software, its responsibility ends there. And maybe in an ideal world where IT managers have plenty of time on their hands, it would. But the real world is not like that - not least because Microsoft's IIS Web server has been one of the most flawed pieces of software the company has released.

As Microsoft's own listing shows, there have been over 20 security bulletins dealing with IIS 5.0. No wonder, then, that IT managers, probably struggling with staff and budget cuts, are not always fully on top of the latest security patch. At the very least, users might have expected Microsoft to have written some quick utility that would automatically check whether systems were vulnerable. But in fact it has fallen to the same company that discovered the Code Red vulnerability to do this and make it available.

Nor can Microsoft fall back on excuses about the difficulty of producing bug-free software. Apache, the leading Web server, has had practically no security problems for years. Given Microsoft's current attack on the evils of open source software, open source's greatly superior security record and coding quality is deeply ironic.

The whole Code Red episode also gives the lie to Microsoft's fine words about being "committed to being the leader in security". The only sense in which it is a leader is in writing poor Internet software, and in its cavalier attitude to users.

Read more on Antivirus, firewall and IDS products