All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
At least one major corporate Web site still hasn't fixed a serious Microsoft Web server security hole that first came to light last week -- even though several solutions have been available since Thursday. Several others only got around to fixing their sites yesterday.
Some major companies, such as Nasdaq and United Airlines, were quick to fix the security problem in a Microsoft Web server. Others weren't.
As of late Monday, the sites for Compaq Computer and Network Associates, owner of PGP, Inc. and numerous other security and privacy firms, were among those still sharing their sensitive information with the world. One major online service remains vulnerable this morning.
Fixing an affected Web site is hardly rocket science, one expert said.
"It doesn't take too long to apply [Microsoft's patch]. It's a couple of minutes and one reboot," said Andy Baron, director of technology at the Aelita Software Group, a group of Windows NT security specialists. "There are even a couple of work arounds without security hotfixes from Microsoft."
Despite the delays in fixing the hole, no reports of malicious use have been reported to Microsoft.
News of the bug, affecting Microsoft's Internet Information Server, surfaced last week by way of Russ Cooper, moderator of the NTBugTraq mailing list. The hole gave anyone with a Web browser access to computer code, normally hidden, that generates Web pages and access databases. As a result, passwords and login information were potentially exposed.
After news of the bug spread on developer mailing lists, at least two separate Web developers posted work arounds to security mailing lists, and by Thursday evening, Microsoft had posted a hotfix on its Web site.
However, possibly as a result of the long holiday weekend, not all sites applied the fix.
"At least the guys who are aware of the security are taking care of it," said Baron.
A spokeswoman for Network Associates refused to comment on the company's vulnerability to the bug. However, the representative, Jennifer Keavney, did confirm that the affected Web server was outside the corporate firewall and did not contain customer data.
All Web sites using the ASP scripting scheme have been vulnerable since 2 December 1997, when IIS 4.0 shipped. However, Microsoft has received no reports of malicious use of the bug.
There are several workaround available. One is a filter published by Softwing Hahn KEG, Austrian IIS development specialists. And Thomas Unger, a technician at investor site The Motley Fool, also posted a fix on a Microsoft developer Web site last week.
Microsoft has a thorough, standard response process when a hole is uncovered and confirmed -- a fix is developed, and then the company tries to notify all of their customers.
"Within 48 hours, we had a fix for IIS 3.0, and shortly after that for IIS 4.0," said Karan Khanna, a product manager on the Windows NT security team. "After we did that, we sent email to NTBugTraq and to our own security list, and put it on our advisory Web site."
Khanna said the company also sent the remedy information to the Computer Emergency Response Team, and emailed its customers.
"We also have a premier alert service, so all our premier customers get all this information as soon as possible," Khanna said. "We really try and get as broad a coverage so that all of our customers are alerted."
However, at least one European customer says he is still awaiting a fix. Stefan Funk, technical manager at Translingua GmbH in Germany, said that he still can't apply the patches provided by Microsoft.
"Fortunately, Microsoft delivers German versions for most hotfixes," he said. "For the '$DATA' bug there is currently not yet a German hotfix available."
The exploit works when the characters "::$DATA" are appended to a URL that instructs the server to execute a server-side program, such as those used with Microsoft's Active Server Protocol (ASP). Instead of executing the program, that program is downloaded to the user.
The exploit is not restricted to ASP programs -- depending on how an administrator has set up the access controls, other kinds of files are also at risk, including Cold Fusion scripts and Perl programs.
A bug this serious is nothing to sweep under the carpet, Baron said.
"Sometimes when an ASP is connected to a corporate SQL server, then you are able to see passwords for the SQL server.
"If your server has sensitive data, then sometimes you can grab them. Not a good thing."
