Secure Windows Initiative to Tackle Security Vulnerabilities

A malicious worm program known as Code Red has defaced as many as 225,000 Web sites by exploiting a buffer overflow bug in Internet Information Server (IIS). Microsoft is undertaking an internal reform of its software development and testing practices to combat these kinds of bugs. However, its reform campaign leaves untouched some gaps in its administration tools and management practices that contribute to security risks. Customers can take some steps to protect themselves while waiting to see how effective Microsoft’s reform campaign will be.

The bug exploited by the worm is only the latest in a seemingly constant stream of security bugs that has called into question the enterprise-worthiness of Microsoft’s products. (See “The IIS Indexing Buffer Overflow“.) In June, Microsoft issued bulletins for six security related bugs, and in May it issued seven. Most disturbing was the discovery of multiple buffer overflow bugs that allow attack programs or worms like Code Red to remotely crash or take over Windows servers.