/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsA major flaw has surfaced in Microsoft’s new firewall and proxy server security software that exposes firm Web sites to denial-of-service attacks by hackers. The attacks also make it impossible for people behind the Microsoft firewall to access the Internet.
The flaw was discovered and reported to Microsoft two weeks ago by FSC Internet, a Toronto-based Internet security consulting company. It concerns Microsoft’s ‘Internet Security and Acceleration’ product that represented Microsoft’s first major foray into the Internet security software business when it was launched February 14.
Microsoft was already offering a fix for the flaw on its Web site Monday, nearly two weeks after FSC Internet Corp. brought the problem to its notice. FSC found that if one of the Microsoft products, called Web Publisher, was running, an external user could send a series of commands to the server that would prevent people from accessing the network's Web sites.
It also would prevent those inside the network from accessing the Web site. Even without a Web publishing feature running, someone inside the network could have sent the string of commands to prompt the denial of service. As a potentially troubling sign of weakness in the Microsoft product, FSC said its engineers discovered the problem after just 15 minutes of routine testing.
"In a firewall product, it's very unusual to see a flaw like this," said FSC CEO Richard Reiner. At Microsoft, Scott Culp who manages the firm’s security product line said the firewall product had been well scrutinized and extensively tested, and that it is being used on Microsoft's own Web sites.
"We know that software always has bugs and that some of those bugs will always affect security. The fact that someone happened onto this bug doesn't say anything about the quality of the code.'' Microsoft’s Web sites were recently brought down by denial of service attacks. It is not known whether the security flaw in question was responsible for allowing those attacks as well.