Microsoft red-faced over sloppy security

NEWS MSN has admitted its website was infected by the Code Red virus last week, despite the fact that Microsoft has had a patch available to plug the security vulnerability for over a month. MSN, Microsoft's internet business, said a "small number of servers" were infected by the malicious code on the night of 19 July. This follows Microsoft's own update site being hit by the bug earlier the same day. A Microsoft spokeswoman said all affected servers have been removed from service and it is conducting a full investigation. It was unable to say exactly how many servers were affected but insisted the attack did not affect the MSN service or any Microsoft customers. The Code Red worm attacks a vulnerability in Microsoft web servers called internet information servers, or IISs. This leads websites to display the messages http://www.worm.com and "Hacked by Chinese!". The worm then randomly generates an IP address from a pre-set list of domains and propagates itself to other web servers. By Friday, an estimated 225,000 servers had been affected, leading some to describe the worm as the most damaging web server virus ever. Microsoft first published a patch for the vulnerability on 18 June. However, it appears MSN didn't take its own medicine and allowed the holes to go unplugged. Spokespeople for MSN and Microsoft today were unable to explain why servers hadn't been updated with the patch. Microsoft said "operational procedures were being reviewed in the light of a full investigation". A full patch to plug the flaw is available at http://www.microsoft.com/technet/ That's presuming, of course, the site is still up.