11 April 2002 Software giant Microsoft has found itself at the centre of another embarrassing security row. The company has been forced to issue a critical patch to fix ten newly discovered security flaws in its web server software which could allow a hacker to take control of a server.
The vulnerabilities affect the last three versions of Microsoft’s Internet Information Server (IIS), versions 4.0, 5.0 and 5.1. Similar vulnerabilities were exploited by the fast-spreading Code Red and Nimda worms last year. Once exploited, the attacker would be able to do anything the internal systems administrator could do, including changing Web pages, installing and run software or even wiping the server’s hard drive.
The shortcomings identified include a number of buffer overflow vulnerabilities and Cross-Site Scripting (CSS) vulnerabilities. However, a number of companies have reported that the patches can introduce new problems with IIS, specifically with the SiteServer authentication module.
Critics have long accused Microsoft of neglecting security in favour of rushing out new releases. Recognising this, Microsoft chairman Bill Gates launched a January 2002 campaign dubbed ‘Trustworthy Computing’. Designed to stamp out any further security flaws, the initiative involves a close review of Microsoft’s operating system source code.