Microsoft issues patch for 10 new web-security flaws

Schools using certain versions of Microsoft’s web server software are encouraged to download a patch the company issued April 10 to fix ten newly discovered security flaws, the most serious of which could let a hacker take over web servers running the software in question.

The flaws affect the last three versions of Microsoft’s Internet Information Server and Internet Information Services software, which are run on millions of computers worldwide. Weaknesses in the same Microsoft software allowed the Code Red and Nimda worms to spread across the internet last year.

The most serious of the recently discovered flaws would allow a hacker to shut down, deface, or plant malicious programs on a school district’s or company’s web site. It was discovered by an engineer at eEye Digital Security.

Security guru Marc Maiffret, who calls himself eEye’s chief hacking officer, said more weaknesses have been discovered in Microsoft’s IIS Web server software than in the software of some of its competitors, which could “make it a little bit scarier running IIS.”

But most enterprises—including eEye, which uses IIS—think the software’s rich feature offerings outweigh the risk, he said, as long as they have a strong security product protecting it.

The latest flaws were discovered as Microsoft undergoes an intensive companywide campaign to stamp out security problems, an effort ordered by its chairman and chief software architect, Bill Gates.

Gates’ plan, called “Trustworthy Computing,” follows a series of embarrassing security flaws, including a critical problem that surfaced soon after the company released its latest version of Windows, called Windows XP. Microsoft released a patch in December to fix the flaw, which could allow hackers to steal or destroy a victim’s data files without the user doing anything more than connecting to the internet.

Lynn Terwoerds, a security program manager at Microsoft Security Response Center, said the company has worked hard to improve the way it deals with security problems, setting more secure default standards in its software and more aggressively informing users of security flaws and patches.

“Security is an industrywide issue,” she said. “I understand that there is a lot of focus on us, but when you take a look at the past year there’s also been an evolution in terms of what we do.”

Microsoft’s critics had contended that the software giant had been ignoring security weaknesses for far too long.

Since Gates announced his plan in January, Microsoft has asked nearly all of its employees to undergo added security training. Developers have pored over countless lines of code in search of flaws. But Terwoerds said the latest flaws would likely have been discovered with or without the Trustworthy Computing initiative.


Microsoft Security

eEye Digital Security

Want to share a great resource? Let us know at