Event
Summary
10
March 2000 (PCWeek) Microsoft Corp. (NASDAQ:MSFT) today admitted it found
out months ago that there is a hole in its Windows 95 and 98 operating
systems that leads to system crashes, yet decided the problem wasn't serious
enough to warrant alerting customers or issuing a patch.
The
problem arises when a user goes to a Web page or opens a Web-based e-mail
message that contains a hidden string of characters that instructs the
computer to use DOS commands for accessing the keyboard, printer and other
devices, said Eric Bowden, general manager of BugNet.com, an online bug-tracking
service.
"The
insidious thing is that you can stick this in a Web page and e-mail it
to someone and it will cause their machine to [crash] when they open it,"
Bowden said. Users could also encounter the hole by typing the string
of characters at the DOS prompt in Windows 95 or 98.
Microsoft
acknowledges it was alerted to the problem at the end of last year but
did nothing to fix it or make customers aware of the problem. "It wasn't
considered a serious issue," said a Microsoft spokeswoman.
"It's
an inconvenience more than anything. It's not a security issue. No one
is reading your e-mail."
But
the spokeswoman added that Microsoft, of Redmond, Wash., decided to reconsider
its decision this week and is now working on a patch for the problem.
The spokeswoman did not know when the fix will be available but said it
will be posted to the http://www.microsoft.com/security site.
Market Impact
Further reports have indicated that this crash can occur under Outlook
2000, whether or not the offending message is opened. However, the crash
will not occur on Windows NT or Windows 2000 systems. Outlook 98 is also
immune to the problem.
If
someone can crash your system remotely, that's a lot more than an "inconvenience".
It's called a Denial of Service attack.
Microsoft's
approach to the problem is less than ideal - it reacts to publicity, not
problems. The problem surfaced in late 1999, but wasn't publicized on
BugNet until March 2000. Only then did Microsoft move to address the problem.
This creates a window of opportunity for alternate OS vendors, such as
Red Hat (NASDAQ:RHAT) to distinguish their level of product support from
Microsoft's offerings.
User
Recommendations
We believe this is yet another reason to favor the Windows NT/2000 operating
system family instead of Windows 95/98/Me. It also underlines the importance
of antivirus software for corporate email systems.
Monitor
http://www.microsoft.com/security, or BugNet for a patch. (Let's hope
it's not called Windows Me.) If you have paid Microsoft for any tech support
related to this problem in the last three months, demand a refund.