Microsoft denies employee sent phony e-mail
- 16 August, 1999 22:00
The instant messaging war between Microsoft and America Online got uglier on Wednesday, with accusations that a Microsoft employee authored a phony e-mail message accusing AOL of dirty tricks.
Someone, posing as a software consultant, charged that AOL created a security flaw to identify users of Microsoft's MSN Messenger Service. Microsoft released that software last month to compete with AOL Instant Messenger (AIM).
The e-mail -- from "Phil Bucking" of "Bucking Consulting" -- was sent to Richard Smith, president of Phar Lap Software, in Cambridge, Massachusetts. The author claimed to have discovered AOL's alleged sabotage while building his own messaging software.
The author wrote that he believes AOL is using a buffer overflow exploit error, which would allow AOL to run code on a subscriber's computer. This would essentially give AOL the ability to distinguish between AOL and Microsoft client software, allowing AOL to kick off subscribers who are not registered with AOL Instant Messenger, according to Smith.
"(Buffer overflow exploit errors) are typically used by hackers and crackers," Smith said.
Smith, who believes he was chosen as the message recipient because of his past problems with Microsoft security holes, added that the author encouraged him to go to the press with this bug discovery. After receiving the e-mail, Smith checked for "Phil Bucking" via Web searches and was not able to find anyone with this name.
Smith then discovered that the sender used the Yahoo mail system and had set up the account that day. Apparently, the sender was not aware that Yahoo includes IP addresses, which Smith used to trace the message back to Microsoft.
AOL did not admit to any wrongdoing.
"Our view is that this is a fake issue by a fake consultant," said Ann Brackbill, an AOL spokeswoman. "Throughout this whole side-show, if you will, we put privacy and security first, second, and third, and people are going to view this as embarrassing for Microsoft."
However, Rob Bennett, director of marketing for MSN, said Friday that "it is not clear at this point that the e-mail was sent from any Microsoft person. We have not acknowledged that."
"If it did come from within, it doesn't represent Microsoft and is inconsistent with our approach at the company," Bennett said. "We have tried to be above-board.
"We'll certainly take some action, (but) it is questionable whether this would be a fireable offense," Bennett said. "We will take action if this is found to be true."
In startling contrast, however, Smith, gave a different account of Bennett's understanding of the source of the e-mail message. Smith said Bennett told him "it looked like it came from inside." Bennett disputed that, saying he never confirmed that the e-mail message came from Microsoft.
Nevertheless, Bennett made the same charges that were in the "Bucking" e-mail -- that AOL inserted a buffer overrun bug in its software with an eye toward thwarting Microsoft.
"We've known that for a couple of days now," Bennett said. "We had no intention of going public with it."
Microsoft's instant messaging software, as well as a new release from Yahoo Inc., communicated with AIM by accessing AIM users' passwords, which AOL labeled a breach of security. AOL also took issue with the rival messaging software accessing its servers. AOL denied access to its networks, but Microsoft tried to circumvent AOL's attempts by posting new versions of its messaging software.