Code Red Puts Microsoft in the Hot Seat

Washington, D.C. -- It was a scene that would be familiar to officials at Bridgestone/Firestone. An executive from Microsoft watched as a government official told a gathering of reporters that there was a serious problem with a Microsoft product.

Ronald Dick, director of the U.S. Federal Bureau of Investigation's National Infrastructure Protection Center, this week warned that the Code Red computer worm was spreading rapidly across the Internet for the third time in less than three weeks. It was taking advantage of a vulnerability discovered in the Web server software that runs on Microsoft's popular Windows 2000 and NT operating systems. The health of the Internet and e-commerce was at stake, the government warned.

Costly Not Deadly

But unlike the case with faulty tires from Firestone, Microsoft's problem wasn't life-threatening, and it didn't lead to a massive product recall. Instead, it cost businesses around the world more than $1 billion, according to some estimates, and hundreds of worker-hours to fix. That has led some users and experts to argue that it's time to demand more secure software from vendors.

"Do we have to wait until someone gets killed?" asked Jack Ring, owner of Innovation Management, an IT consulting firm, in a letter to Computerworld. "[It] must be nice to be a billionaire, but can it feel good when the billion is what others are losing by using your products?"

Because of the security issues associated with Microsoft software, "we are looking at other technologies," says a chief technology officer at a pharmaceutical supply company in the Northeast who requested anonymity. "There are other Web servers out there. Microsoft's customers have to demand better software."

Robert Odom, chief operating officer at AFAB International, a security equipment reseller, says that because of security concerns, his company has completely removed Microsoft Outlook from its systems and has removed "as much of [Internet Explorer] as we can."

Chasing Security Holes

Microsoft issued 100 security bulletins last year related to its software and 42 so far this year, according to information on its Web site. Even so, Steve Lipner, manager of Microsoft's Security Response Center and chief of the Secure Windows Initiative, says the company undertakes a massive effort to find security flaws in products "before they get out the door."

The centerpiece of the effort, Lipner says, is a program called Prefix. It scans the entire code base of the Windows operating system and all Office products for potential vulnerabilities. When one is found, Prefix identifies the "offending coding practice that caused the vulnerability," he says. It's an effort that represents a "significant investment" across the company and one that, "absolutely has commitment from the top," Lipner says.

That begs the question of how yet another flaw in Microsoft's Internet Information Services software made it out the door.

"Security and software development are human endeavors where mistakes are going to happen," Lipner says.

Reliability Required

Yet there is concern because critical services such as the Federal Aviation Administration, medical services and the electric power grid are increasingly using commercial software. And the fear, based on the Microsoft experience, is that some of this software could be unreliable and full of security holes.

It's only a matter of time before consumers and businesses start to demand more reliable and secure software, says Dave McCurdy, executive director of the Internet Security Alliance. "When health and safety concerns are raised, then there are going to be higher expectations of accountability," he says.

"People have every right to expect reliable, secure software," says Jay Nickson, a security trainer at Ronin Software Group. He adds that developers should be responsible if errors in their software result in lost profits, lost hours or bodily harm. He even suggests that it might be time for a "software users' bill of rights."

But Alan Paller, director of the SANS Institute, a security research organization, says that's a long shot. A routine check of the terms of the agreement included with every shrink-wrapped package of software from Microsoft and other developers would show that users "have no rights at all," he says.