August 13, 1999

An Embarrassment for Microsoft in Battle With America Online

By JOHN MARKOFF

he Microsoft Corporation acknowledged Thursday that one of its programmers apparently masqueraded as an independent computer consultant earlier this week in an effort to discredit America Online's tactics in the companies' quarrel over instant messaging.

Related Articles A Showdown on Messaging May Unite Web Users (August 2, 1999) Instant Messaging and Other 'Sticky' Issues (August 2, 1999) Positions Harden in Instant-Message Fight (July 28, 1999) In Cyberspace, Rivals Skirmish for Control Over Messaging (July 24, 1999)

Microsoft had reason to be red-faced about the incident Thursday -- first, because the company was unable to identify which employee had forged an e-mail message on Tuesday accusing America Online of irresponsible behavior, and second, because whoever did it sent the message to the one computer security expert who was most likely to find a way to trace it back to Microsoft.

The ruse has added a bit of Spy vs. Spy melodrama to a bitter dispute over instant online messaging that America Online and Microsoft -- the world's two largest Internet service providers -- have been waging for several weeks. The dispute began last month when Microsoft introduced a clone of the AOL Instant Messenger program, which permits computer users to chat over the Internet with other computer users.

Since Microsoft released its clone, the two companies have waged a public war of words while simultaneously carrying on a hacking cyberwar as America Online has tried to electronically lock Microsoft Messenger users out of its network and Microsoft has at least 13 times managed to find new backdoors.

America Online executives say Microsoft is making illegal use of proprietary directory information that is essential to connect instant messenger users with each other via the Internet.

The Microsoft disinformation incident came to light on Wednesday when Richard Smith, the president of Phar Lap Software and a leading computer security expert, received an e-mail message from someone identifying himself as Phil Bucking of Bucking Consulting.

An e-mail trying to embarrass America Online was a ruse.

The author suggested that he was developing his own instant messaging program and was studying America Online's tactics in blocking Microsoft users. In his message, he asserted that America Online is using a programming error that has created a security flaw -- one not found in Microsoft's clone program -- to detect the Microsoft Messenger program. The author said he was writing Smith because Smith had "significant credibility with the press."

"I think you would agree that this is a heinous and risky action," stated the electronic message, which was sent using a free Yahoo e-mail account. "I am perfectly fine with AOL and MS fighting it out with standard software practices, but putting user security at risk is unacceptable. It is inconceivable that a company would even consider doing this."

When Smith, who has criticized Microsoft's software development and privacy practices in the past, examined the message, he discovered that it had originated within Microsoft.

"Microsoft is trying to use me as a pawn in their fight with AOL," he said.

In a telephone interview today, Rob Bennett, the director of marketing for Microsoft's Internet service, MSN, confirmed that the author of the message was almost certainly a Microsoft employee, but he said the company had not yet discovered his or her identity.

"I think it's somebody who got a little overpassionate but went about it the wrong way," Bennett said.

Computer industry analysts said that the incident echoed a 1992 controversy in which Microsoft employees masqueraded as independent computer users and posted messages to public computer bulletin boards with opinions critical of I.B.M.'s OS/2 operating system, a product that competed with Microsoft's Windows.

"This is par for the course for Microsoft marketing," said John C. Dvorak, a columnist for PC Magazine.

"In the past we called them Microsoft munchkins. It was a scandal."

Microsoft executives said there had been no Microsoft plan to play dirty tricks in its dispute with America Online. Bennett also said that members of Microsoft's software development team had told him they knew nothing about the incident.

Bennett, however, insisted that the accusations made in the message were accurate and that America Online's programmers had been exploiting a security flaw in the AOL Instant Messenger software to identify Microsoft Messenger customers. He said that since the dispute began, , Microsoft had made 13 changes to its program to get around America Online's efforts to block users of Microsoft's clone.

"It's unfortunate they're putting user security at risk," he said.

An America Online executive disputed that there was any security issue involved and said the company would not acknowledge that its software contained a vulnerability known as a buffer-overflow error.

"It's a fake issue by a fake consultant, " said Barry Schuller, director of interactive services at America Online. "Our whole approach is all about privacy and security for our members, and I think this is really embarrassing for Microsoft."

A buffer overflow error is a type of programming defect that could permit an intruder to execute rogue programming instructions on a remote machine via a computer network. In some cases buffer overflow bugs can be exploited to crash remote programs while simultaneously executing illicit code.

Microsoft said that in the case of AOL Instant Messenger, the buffer overflow error did not result in a program crash. But by running a program on its servers, America Online could exploit the bug by weeding out users whose software did not have the error and therefore had to be using the Microsoft clone.

Smith acknowledged that the code Microsoft was questioning in America Online's program might not, in fact, be a bug. But if it was, he said, America Online's exploiting it to detect the Microsoft clone was risky from the standpoints of privacy and computer security.

"Putting network backdoors in software products should be against the law," he said.

"I don't like the idea at all of 'spyware.' "

Microsoft posted a change to its program last night to work around the new America Online strategy, Bennett said. But he added that the workaround did not use a buffer overflow error.