Don't do as I do, Do as I say! 8-)

Peter Kilby peter.kilby@btconnect.com
Thu, 16 Aug 2001 09:56:09 +0100


This is a multi-part message in MIME format.

------=_NextPart_000_00FB_01C12639.ACDF6F00
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

New Scientist (no link sorry)

    =20
       =20
      Code Red claims its most embarrassing victim=20
       =20
      15:49   09  August  01=20
      Will Knight=20
       =20
      Microsoft has been guilty of ignoring its own advice by allowing =
two computers running the company's email service Hotmail to be infected =
with the Code Red computer worm.=20

      The company has admitted that engineers did not follow its public =
warning to block a hole in its Internet Information Server (IIS) =
software using a patch it made available for free download on 18 June.

      On 30 July, the company united with US government officials and =
other members of the computer industry to urge internet system =
administrators to secure computer systems against Code Red.

      Thousands of machines were fixed after this unprecedented joint =
warning but Microsoft evidently forgot to shore up its own defences.=20

      "Code Red affected one [Hotmail] test machine and one production =
one," a Microsoft spokeswoman told New Scientist. "They were promptly =
removed."


      Worm hole=20


      The worm exploits a bug in IIS software to wriggle its way into =
web servers. The original worm defaced web pages and sent a torrent of =
traffic to the White House web site. A later incarnation, Code Red II, =
gave greater control over a victimised server.

      Two Hotmail machines were infected with the more dangerous version =
of Code Red but Microsoft says that no email accounts were deleted and =
no information was stolen. It says that the speed of the service, which =
has 110 million users, was not impaired.

      Peter Sommer, a computer security researcher at University College =
London says that this sort of security blunder is surprisingly common =
within the computer industry.=20

      "Companies giving out advice aren't very good at following it =
themselves," he told New Scientist. "If we look at most security =
breaches, its just that companies are in such a hurry to provide their =
core service that security misses out."

      Microsoft's ownership of Hotmail has been fraught with =
embarrassments. After buying the free email service at the end of 1997, =
it was not until August 2000 that Microsoft finally migrated the system =
over to its own software, from alternative, and more popular, free =
software.=20
    =20
       =20
      15:49   09  August  01=20
       =20


------=_NextPart_000_00FB_01C12639.ACDF6F00
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4611.1300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>New Scientist (no link =
sorry)</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>
<TABLE cellSpacing=3D0 cellPadding=3D0 width=3D370 align=3Dleft =
border=3D0>
  <TBODY>
  <TR>
    <TD class=3Dspace10 align=3Dleft></TD></TR>
  <TR>
    <TD class=3Dspace5 align=3Dleft>&nbsp;</TD></TR>
  <TR>
    <TD align=3Dleft><B class=3Darticlehead>Code Red claims its most =
embarrassing=20
      victim</B></TD></TR>
  <TR>
    <TD class=3Dspace5 align=3Dleft>&nbsp;</TD></TR>
  <TR>
    <TD class=3Darticledetails align=3Dleft>15:49&nbsp;&nbsp; 09&nbsp; =
August=20
      &nbsp;01</TD></TR>
  <TR>
    <TD class=3Dauthor>Will Knight</TD></TR>
  <TR>
    <TD class=3Dspace10 align=3Dleft>&nbsp;</TD></TR>
  <TR>
    <TD align=3Dleft>
      <P>Microsoft has been guilty of ignoring its own advice by =
allowing two=20
      computers running the company's email service Hotmail to be =
infected with=20
      the Code Red computer worm. </P>
      <P>The company has admitted that engineers did not follow its =
public=20
      warning to block a hole in its Internet Information Server (IIS) =
software=20
      using a patch it made available for free download on 18 June.</P>
      <P>On 30 July, the company united with US government officials and =
other=20
      members of the computer industry to urge internet system =
administrators to=20
      secure computer systems against Code Red.</P>
      <P>Thousands of machines were fixed after this unprecedented joint =
warning=20
      but Microsoft evidently forgot to shore up its own defences. </P>
      <P>"Code Red affected one [Hotmail] test machine and one =
production one,"=20
      a Microsoft spokeswoman told <B>New Scientist</B>. "They were =
promptly=20
      removed."</P>
      <P><BR><B class=3Dcrosshead>Worm hole</B> <BR></P>
      <P>The worm exploits a bug in IIS software to wriggle its way into =
web=20
      servers. The original worm defaced web pages and sent a torrent of =
traffic=20
      to the White House web site. A later incarnation, Code Red II, =
gave=20
      greater control over a victimised server.</P>
      <P>Two Hotmail machines were infected with the more dangerous =
version of=20
      Code Red but Microsoft says that no email accounts were deleted =
and no=20
      information was stolen. It says that the speed of the service, =
which has=20
      110 million users, was not impaired.</P>
      <P>Peter Sommer, a computer security researcher at University =
College=20
      London says that this sort of security blunder is surprisingly =
common=20
      within the computer industry. </P>
      <P>"Companies giving out advice aren't very good at following it=20
      themselves," he told <B>New Scientist</B>. "If we look at most =
security=20
      breaches, its just that companies are in such a hurry to provide =
their=20
      core service that security misses out."</P>
      <P>Microsoft's ownership of Hotmail has been fraught with =
embarrassments.=20
      After buying the free email service at the end of 1997, it was not =
until=20
      August 2000 that Microsoft finally migrated the system over to its =
own=20
      software, from alternative, and more popular, free software. =
</P></TD></TR>
  <TR>
    <TD class=3Dspace10 align=3Dleft>&nbsp;</TD></TR>
  <TR>
    <TD class=3Darticledetails align=3Dleft>15:49&nbsp;&nbsp; 09&nbsp; =
August=20
      &nbsp;01</TD></TR>
  <TR>
    <TD class=3Dspace10=20
align=3Dleft>&nbsp;</TD></TR></TBODY></TABLE></FONT></DIV></BODY></HTML>

------=_NextPart_000_00FB_01C12639.ACDF6F00--