Recent attacks on web servers running the flawed IIS (Internet Information Services) components could be just the start of a new wave of hacking.
Microsoft, maker of the Windows server systems in which IIS is installed (NT, 2000 and beta XP systems), had four of its branded sites hacked and defaced on Friday last week.
Microsoft issued warnings last week urging people to install the security patch protecting sites using the IIS server system from attack. But the software giant seems to have ignored its own advice. The four attacks reached two MSN sites and two of the company's internal research sites.
"The hackers took advantage of the flaw we had warned people about," said a Microsoft spokesperson. "Our security team were working on the patch to secure the site but obviously too late."
"People are getting worried over Microsoft's approach to security," said a spokesperson at the Consumers Association. "After all, if they can't trust the big corporations to protect them, who can they trust?" This might seem a little rich to some after the CA dropped a clanger last week by releasing TaxCalc customers' credit card details on the web.
But poor Microsoft engineering could, until now, have unwittingly denied many hacking attempts.
Unix sockets were not properly installed into Windows software until the release of its 2000 and XP flavours and this may "have saved the internet from untold levels of disaster", according to web security expert Steve Gibson. Last month Gibson's firm was itself attacked from several hundred IIS systems.
"This has horribly changed Windows for the worse," said Gibson. "For no good reason whatsoever, Microsoft has equipped Windows 2000 and XP with the ability for any application to generate incredibly malicious internet traffic."
Gibson and his research team are currently in talks with Microsoft to encourage them to remove this from Windows XP.
"When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth internet connections, we are going to experience an escalation of internet terrorism, the likes of which has never been seen before," said Gibson.
Forging the IP (internet protocol) address of an attacking machine is known as spoofing and is almost impossible in Windows. But a trivial technicality in Unix-like operating systems means hackers' identities can be easily concealed.
Microsoft confirmed it had fully installed the Unix sockets into its new software but would not comment further.
"Obviously we will do all we can to stop hackers attacking us and users, but we do not know what the impact on the Unix sockets will be," said a cagey Microsoft spokesperson.