PC Security: Holey Software!

Imagine you own a small company that has a few high-profile clients. One day you discover that confidential data you store about these clients--credit card numbers, personal contact information, and promotional plans--is being broadcast over the Web for all to see. You have no clue how it's happening or how to stop it.

That was the real nightmare for one company that sought the help of James Sinclair, chief technology officer of Global Network Security Services in Los Angeles. In July 2000, after three weeks of searching for the data leak, the company (which understandably wants to remain anonymous) called Sinclair's firm to investigate.

A few hours later, GNSS discovered the problem: a security hole in FileMaker Pro Web Companion desktop database software that allowed an intruder to access the data from outside."We don't know how our client was targeted," says Sinclair. "There are so few people who use FileMaker--comparatively speaking--that it was really the luck of the draw that they got hit."

FileMaker had posted an announcement and a fix for the hole two months earlier, but Sinclair's client never heard about it. The company had no tech staff, and they would have discovered the flaw only by visiting FileMaker's Web site--the software vendor never notified customers about the problem by e-mail.

Buggy software has long been the bane of computer users. But bugs can cause double the trouble when they involve a security hole. It's frustrating enough when your system locks upon opening an application, but when a security flaw leaves your PC open to attack, you want to know who to blame.

There are no easy answers. Tracking down your attacker is usually a fruitless task, and vendors are loathe to accept responsibility for a program's failings. Even more frustrating: Security holes may simply be a fact of life, given the complexity of today's software.

Fortunately, there are plenty of things you can do to protect your PC (see "Batten Your PC's Hatches" and "Essential Patches." ) Even so, you might feel that software vendors should do more to prevent problems in the first place. Some observers say litigation may be the only way to force vendors to take more responsibility.

Hole Lotta Trouble

From operating systems to browsers to antivirus packages, nearly every major software product has had a security flaw or two. BugTraq, a mailing list at SecurityFocus that tracks holes and patches, has counted 35 vulnerabilities in Windows 98 alone. Internet Explorer has had a whopping 69.

While some holes clearly spell bad news, other bugs can be exploited only in rare cases or they affect few users. The FileMaker glitch, for example, "[could have] affected only a small percentage of customers," according to FileMaker spokesperson Steve Ruddock. "As far as I know, the security hole was only theoretical. We never heard of anyone who suffered problems from it." Of course, that's no comfort to James Sinclair's client.

Security holes in popular desktop programs like Outlook or Norton AntiVirus are more likely to touch you directly, but holes in server-based software can affect you, too. A flaw in an e-commerce site's online shopping cart program, for instance, could give thieves access to the credit card number you submit to the site.

Even more unnerving is the fact that the U.S. Navy controls its submarines with Windows NT, a program that has been plagued with bugs, including security holes, since its release. In 1997 a missile cruiser was rendered dead in the water because of a data-calculation bug in NT. BugTraq lists 164 holes in Windows NT 4.0, predecessor to Windows 2000 and Windows XP Professional. "The program was marketed as being secure," says Richard Power, editorial director of the Computer Security Institute in San Francisco. "But it had so many holes that hackers [said] the NT stood for 'nice try.'"