Years from now, we will all look back on summer of 2001 as one of strangest summers in history of internet. We will surely laugh at frantic gyrations of system administrators and security professionals because of a worm called "Code Red". We system administrators will most certainly chuckle as we fondly reminisce on late evenings spent patching server after server at urging of our security professionals. And hey, that blue screen or two that resulted was so much fun to research, and reinstalls that we had to do next day will certainly be topic of campfire conversations for years to come! Not!During late July and early August, Microsoft, CERT (Computer Emergency Response Team) and FBI issued emergency bulletins urging all system administrators to patch their web servers immediately. The press was alerted and asked to help spread word that internet itself was in extreme danger. Every security and antivirus company on planet was busy sending out notices to everyone they could find that problem had to be fixed immediately, or dire consequences would result.
The predictions were that internet speed would be reduced to a crawl for days while billions (trillions?) of meaningless packets were thrown at Whitehouse web site an attempt to knock it off air.
What was cause of this three-ring circus?
It's very simple really. The same old story. Microsoft had a bug in their web server code. Well, saying they had a bug dramatically understates magnitude of problem.
To put it into perspective, let's say you hired a contractor to build a new bank (you are bank manager). Naturally, your bank is outfitted with state of art technology (so says brochure), including a shiny, well-publicized security system. The project was expensive, but you're happy because, hey, it's new, improved, extra special XP bank. Besides, contractor is biggest one on planet and, frankly, you paid them an exorbitant rate to ensure that you got best there was.
After your bank is robbed, you find out that contractor had "accidentally" left an eight foot hole in right wall. This isn't just a small hole, it's a huge, gaping crevice leading directly to vault. It's in plain view to everyone, except, seemingly, contractor. When you confront contractor to ask them how they could do such a stupid thing, they politely tell you, after a three hour wait on hold and a $295 charge on your credit card, that it's really your fault because you didn't follow instructions in their special security bulletin two months ago. Didn't you send a couple of your employees to BSE (Bank Systems Engineer) classes to learn that they need to purchase extra-special, super spectacular BankNet knowledgebase CDs?
Okay, all kidding and sarcasm aside, there is a bug in Indexing service (the component that creates searchable indexes) in Microsoft Internet Information Server (the program which displays web pages on a web server) which is supplied with Windows NT and Windows 2000. This bug allows allows anyone who can send a special string of characters to a web server to "take control" and, basically, cause web server to do anything that attacker desires.