| BUSINESSWEEK ONLINE : NOVEMBER 13, 2000 ISSUE | ||||||||
| ||||||||
 | ||||||||
| NEWS: ANALYSIS & COMMENTARY
Commentary: The New Feature Microsoft Needs Most: Safeguards On Oct. 14, a hacker created a rogue computer account at Microsoft ( MSFT). Within hours, a few more popped up. That was a Saturday. By the middle of the next week, someone had set up about 25 unauthorized accounts and was rummaging through Microsoft's internal computer network, trying to set up additional accounts with access to increasingly privileged corporate data. The company says the hacker did not steal or alter any products but might have peeked into highly proprietary source code for a future product. Any corporate network can be hacked. But Microsoft's failure to defend its own fortress raises new doubts about security. For years, cybervandals have exploited holes in its software. This spring, the Love Bug paralyzed e-mail systems around the world, taking advantage of security gaps in the company's Outlook e-mail, contact management, and calendar software. This time, Microsoft has fallen prey to vulnerability of its own design. ''Shame on Microsoft for letting this happen,'' says David J. Brumley, a Stanford University computer security officer who has helped the FBI track down hackers. ''They are getting bit by their own bugs.'' HARROWING. That's an intolerable situation for any company of Microsoft's stature. Its Windows operating system powers 9 of every 10 personal computers sold. Its Office word processing and spreadsheet software are nearly as widely used. As long as such products are vulnerable, the potential for havoc remains huge. To be fair, Microsoft has no monopoly on hackable software. For two harrowing days last February, hackers toppled a series of giant Web sites--Yahoo! ( YHOO), Buy.com ( BUYC), eBay ( EBAY), Amazon.com ( AMZN), and CNN--like so many dominoes. In these attacks, hackers exploited chinks in the Unix operating system. Those holes allowed them to send countless requests for information to the targeted Web sites, gumming up the works and bringing the sites to their knees. Microsoft's software is a favorite target. Part of the reason is the security gaps in its software, which have long earned the ire of software experts outside the company. Take Microsoft's Outlook program. It has a nifty feature that makes it a snap to create an e-mail with a single mouse click from inside the address book program. But the Love Bug hackers exploited the feature when they created a program that shoots contaminated e-mail off to everyone in a target's address book. Microsoft issued a software patch to address the problem only after the virus spread. ''With Microsoft, security is always applied as a Band-Aid,'' says Avi Rubin, principal researcher at AT&T Labs and co-author of Web Security Sourcebook. PASS THE BUCK. The biggest problem is Microsoft's insistence on loading its software with more and more features. That sounds great, but nearly every new feature creates new vulnerabilities for hackers to exploit. The QAZ virus--allegedly the tool hackers used to crack the Microsoft network in October--takes advantage of file-sharing capabilities within Windows. Businesses want workers to collaborate on documents. But the ability to do that opens the door for QAZ to quickly spread across a computer network. Microsoft's response, even now, is to pass the buck. It says that customers are more interested in the latest feature than the tightest security. ''There are trade-offs,'' says Steve Lipner, manager of Microsoft's security response center. ''But we've got to run a successful business.'' Having said all that, the fact remains that Microsoft products are improving. Its Windows 2000 operating system, launched in February, includes scores of network security measures. ''They are definitely making progress,'' says Tom Noonan, chairman of Internet Security Systems Inc., an Atlanta security monitoring and management company. But if there is any lesson from the October Microsoft break-in, it's that computer security isn't absolute. Everyone must try harder. Perhaps that's the biggest reason of all for Microsoft to make security Job No. 1 in software design. By Jay Greene Seattle correspondent Greene covers Microsoft. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ BACK TO TOP |
|  |
 | |
INTERACT E-Mail to Business Week Online | |||
|
Copyright 2000-2008, by The McGraw-Hill Companies Inc. All rights reserved.
Terms of Use Privacy Notice  |