Microsoft's Security Fix Not So Secure

Microsoft Corp.'s first major foray into the Internet security software business, a network security product called Internet Security and Acceleration, was released with a bug that could prompt a so-called "denial of service" attack.

The Redmond, Wash.-based software giant offered a fix to the product on its Web site Monday, about two weeks after the Toronto Internet security consulting company FSC Internet Corp. alerted it to the problem.

The first version of Internet Security and Acceleration, or ISA, was released Feb. 14 as a firewall and proxy service designed to protect business computer networks.

FSC Internet Corp. chief executive Richard Reiner's investigation found that if one of the product's features, called Web publisher, was running, an outside user could send a series of commands to the server that would prevent people from accessing the network's Web sites. It also would prevent those inside the network from surfing the Web.

Even without the Web publishing feature running, someone inside the network could have sent the string of commands to prompt the denial of service.

The flaw would not have allowed a hacker to access the network to get information, Microsoft security program manager Scott Culp said.

Reiner said he was concerned that he discovered the problem relatively easily, after about 15 minutes of routine testing.

"In what is essentially a firewall product, it's very unusual to see a flaw like this," Reiner said.

Culp said the product had been well-scrutinized and extensively tested, and that it is being used on Microsoft's own Web sites.

"We know that software always has bugs and that some of those bugs will always affect security," Culp said. "The fact that someone happened onto this bug doesn't say anything about the quality of the code."

© MMI The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed