Giant red faces in bug-chasing game

It's been a bad summer for bugs

It's been a bad summer for bugs. Even as the clocks tick closer to the notorious millennium bug, several high-profile bugs and security flaws have been highlighted in the last two months, revealing a fascinating stalking game between giant software companies and groups dedicated to exposing their mistakes. Some of the bugs also suggest that the growing online world may be more vulnerable to attack than most of us think.

The most recent celebrity bug to be "outed" was in Microsoft's free Webbased email provider, Hotmail. On August 24th, Tom Cervenka, alias Blue Adept, a Web programmer at a Canadian Intel network reseller called Specialty Installations, revealed that he had found a way to trick Hotmail users into revealing their passwords to him.

Mr Cervenka compromised the system using a classic Trojan-horse email. Having included a JavaScript program in email messages sent to Hotmail accounts, recipients of his message were presented with a fake look-alike Web page asking them to retype their username and password. If they did, they were returned to normal Hotmail services, but unknown to them, the names and passwords were mailed to Mr Cervenka. He not only posted a demonstration on his company's Because-WeCan website (www.because-we-can.com), he also sent details to security mailing lists which discuss and publicise security flaws in popular products.

To protect its reputation among the holders of its 22 million active accounts, Hotmail worked feverishly to fix the problem, and by the morning of August 25th it was filtering out JavaScript from incoming messages. However, Mr Cervenka quickly found a way around this, and the battle of wits continued for a few more days until Hotmail found a more permanent solution.

READ MORE

Meanwhile, various other web-based email providers have found they are equally vulnerable to having their pages taken over by malicious JavaScript, and are working on solutions.

Microsoft has also been the target of a more sinister attack, this time from a group calling itself the Cult of the Dead Cow. In July the group released a program called Back Orifice (a swipe at Microsoft's Back Office) which, if run on a networked machine, can allow hackers to access all the data on the computer without detection.

Members of the cult said they created the program to highlight security flaws in Windows, but Microsoft has issued an advisory on its security website (www.microsoft.com/security) denying this. "`Back Orifice' could introduce security vulnerabilities in the system on which it is installed," it says, "but, as with all other software, a user must make the choice to install it. Anytime a user installs software from unknown or untrusted sources, they risk compromising their system." The same presumably goes for running unknown programs sent in email messages.

In fact, viruses sent by email were the subject of one of the summer's biggest security alerts. In late July, researchers in the University of Oulu, in Northern Finland, discovered a hole in three of the most popular email programs: Microsoft's Outlook Express and Outlook 98, and Netscape's Communicator email. By sending file attachments with extremely long names in email or news messages, hackers could run their own programs as soon as the messages are read.

Although both Netscape and Microsoft said they had no reports of such attacks, they quickly worked to fix the problem. Since August 11th the Microsoft security website has contained a fix for downloading, but just how many people have done so isn't known - it can take several hours to download the fix. It is probably only a matter of time before someone successfully writes and mails viruses this way, and with directories of millions of mail addresses available to senders of junk email, the consequences of a successful mass virus distribution by email are frightening. Hence Microsoft "strongly recommends" installing the fix.

These and many other bugs are reported and publicised by independent researchers, or concerned groups like the Australian Computer Emergency Response Team (www.auscert.org.au) or NTBugtraq (ntbugtraq.ntadvice.com). Such groups regard themselves as providing a public service. NTBugtraq, which hosts a discussion site for Windows NT security bugs, is described by Canadian Russ Cooper, who runs it, as a service to the Windows NT community "which Microsoft should have provided a long time ago".

Microsoft's dominance makes it a popular target for the bug-busting community, but it doesn't exactly thank NTBugtraq for the manner in which its flaws are published. However, the Microsoft security website does credit Mr Cooper's site with reporting bugs such as the mailer bug and a more recent issue affecting its Internet Explorer product.

The Trojan war between Hotmail and Mr Cervenka is symbolic of the perpetual grudge match between developers of popular software packages and those who publish weaknesses in them. It's a game with no end in sight, but thankfully we the computer users, are better off for it. The alternative is that we only discover bugs when software crashes, and security flaws when we're broken into.

Eoin Licken is at elicken@irish-times.ie