Microsoft posts another bug fix By Janet Kornblum July 1, 1997, 6:10 p.m. PT update Microsoft (MSFT) today posted a patch for the second security hole that hackers exploited in its servers in less than two weeks. This new bug, while different from the one discovered and reported in Internet Information Server about ten days ago, causes a similar kind of "denial of service" attack by locking up a Windows NT Web server so that nobody else can get onto it. Yesterday, users throughout the Net reported problems getting into the Microsoft Web site to CNET's NEWS.COM. The company has been in the process of upgrading its servers and has warned users to expect difficulty in hitting the site. But yesterday's problems were caused by a denial of service attack, according to Mike Nash, a Microsoft spokesman. In this attack, similar to the so-called Ping of Death attack, the hacker sends phony TCP/IP packets to a server, Nash said. The attack is a classic denial of service attack in that it tricks the server into spending all its resources performing unnecessary functions that keep it from letting people access the Web site. Nash noted the company was informed about the problem late Sunday night and was under attack Monday morning. But several Netizens reported that hackers have been using the attack, labeled a SSPing attack, for at least a few weeks. Barry Bahrami, a software developer with Commercial Illusions, said his company had been attacked several times with the attack. Each time the company was attacked, it jammed up its system and programmers lost a lot of work, he said. Commercial Illusions traced at least some of the attacks to a 14-year-old hacker in Minnesota and sent his mother a $4,607 bill. A week ago, Bahrami sent news of the bug, along with the actual Linux program that runs the attack, to Microsoft. But Nash said Microsoft didn't see that email and first heard of the bug today. In any case, Bahrami and several others were anxiously awaiting a patch. Nash originally said the patch would be posted by noon and then 5:30 p.m. PT, it was finally posted around 6 p.m. Nash emphasized that "anyone running Windows NT Web server should load the fix." Those hosting Web pages using Windows 95 or NT Workstation are also vulnerable, he added. News of another bug can't be good for a company trying to sell its server software. Several people used news of the last bug--in Internet Information Server 3.0 running on top of Windows NT 4.0--to criticize Microsoft's products. On the other hand, the fact that hackers are targeting Microsoft also could be construed as a sign of the company's popularity. After all, hackers usually like to focus their efforts on a target that will give them maximum exposure. At least that's the spin that Nash gave on the bug issue. "I think the reason for interest in hacking the NT server is it's a very popular product," he said. "There's a lot of people who had looked at a number of ways of attacking Unix...Now there is a set of people trying to understand how to attack NT servers." While some of the so-called hackers intended to do damage, many--perhaps most of them--fit the profile of a "hacker" in the old sense of the word: They are people who like to experiment and study computer systems to find problems and holes but have no malicious intentions. In fact, software vendors rely on this cadre of skilled programmers to put their products through testing so rigorous that it would be hard to replicate such trials in a lab. In this case, a programmer sent the problem to Microsoft as a heads-up. But at least one person--perhaps many more--actually exploited this bug before Microsoft had a chance to develop or implement the patch, Nash said. A similar scenario occurred a little more than a week ago when a software consultant discovered the IIS 3.0 bug. He inadvertently caused a denial of service attack on Microsoft while testing the validity of the bug. As soon as he knew what he was dealing with, he sent the fix to Microsoft. Others, however, may have purposefully used the bug, once word got out, to shut down the site. "It's not something that can happen by accident. It is really only the result of an intentional, malicious attack," Nash said. In this attack, someone sends out a phony TCP/IP packet (specifically an ICMP packet, or ping packet) with bad information, according to Nash. The attacker either falsifies the size of the packet that it intends to deliver or it sends the server to the wrong place to look for the information. The server, expecting a packet of a certain size or from a certain place, will wait until it gets the packet that was promised. But in this case, the packet will never get delivered and the server stops doing its job while it waits. Hence, new users trying to establish connections are locked out. It would be like having a building custodian keep the doors locked and all entrances sealed until he got a 30-pound box from 333 Maple Street. A 20-pound box would not do, nor would a 30-pound box from 336 Maple. He would wait for the right package, regardless of whether it existed--while ignoring everyone pounding on the doors to get in. If it never came, a lot of people would be angry--and locked out.