August 18, 2005 12:32 PM PDT
Survey: Microsoft bears some blame for worms
- Related Stories
-
Microsoft investigates potential new IE flaw
August 17, 2005 -
Microsoft offers Zotob removal tool
August 17, 2005 -
Watch out for worm wars
August 17, 2005
Thirty-five percent of respondents to an informal Web survey of customers by security company Sophos said the software maker was ultimately at fault for the recent rash of worms spawned by variants of Zotob. In the poll results, released on Thursday, 45 percent placed the blame squarely on the virus writers, while 20 percent laid blame on their systems administrators for not patching systems fast enough.
"The majority of users believe that the virus writer has to take the ultimate blame for deliberately creating and unleashing this worm to wreak havoc on poorly protected business," Graham Cluley, Sophos senior technology consultant, said in a statement. "But what is most surprising is that so many people blame Microsoft for having the software flaw in the first place."
Microsoft is not alone. Companies are increasingly calling on software developers to improve their security battle-testing of products before release.
"No software is 100 percent secure, and this is collectively being felt by the industry," a Microsoft representative said Thursday. "Over the last year, Microsoft has made improvements with security."
The software giant, for example, has launched its Security Development Lifecycle, the representative said. The move modified Microsoft's software development process to improve the way it integrates security best practices from the get-go.
Microsoft has also seen security improvements with its Windows XP operating system and the Service Pack 2 update, analysts said.
In the most recent worm outbreak, malicious attackers began circulating variants of Zotob and other viruses that exploit a plug-and-play feature in some Windows versions. The onslaught came shortly after Microsoft's regular monthly patch release, which included a fix for the problem. The flaw allows remote attack in Windows 2000 and not Windows XP SP2, according to Microsoft.
"Microsoft is stuck between a rock and a hard place when it comes to vulnerabilities," Cluley said. "When it goes public about its security holes, a virus can be written to exploit them and many businesses may not have rolled out the patch. If it kept quiet...everyone would ask why Microsoft hadn't warned anyone of the vulnerability."
82 comments
Join the conversation! Add your comment (Log in or register)
It is just too much typing!
It is just too much typing!
Ah, so this point last year, there were 600 security holes for which XP was vulnerable...now we are down to 599!
Ah, so this point last year, there were 600 security holes for which XP was vulnerable...now we are down to 599!
Some people blame the virus author, some blame the vendor and some blame sysadmins. ZZZzzzz. Who else would they blame? Their mommies? The great computer in the sky?
How is this newsworthy? The headline tries to make it sound more exciting than it is. Who is at fault? All of the above. As with any issue this complex (like a multicar pile up on a freeway), fault is always shared.
MS' security response is much better these days, but until they get 95% of Windows users to migrate to Windows XP (especially SP2+) and Windows 2003 (especially SP1+), they're going to feel the hurt for years of overlooking security issues.
Mister Winky
THERE IS NO GREAT COMPUTER IN THE SKY!
:)
Some people blame the virus author, some blame the vendor and some blame sysadmins. ZZZzzzz. Who else would they blame? Their mommies? The great computer in the sky?
How is this newsworthy? The headline tries to make it sound more exciting than it is. Who is at fault? All of the above. As with any issue this complex (like a multicar pile up on a freeway), fault is always shared.
MS' security response is much better these days, but until they get 95% of Windows users to migrate to Windows XP (especially SP2+) and Windows 2003 (especially SP1+), they're going to feel the hurt for years of overlooking security issues.
Mister Winky
THERE IS NO GREAT COMPUTER IN THE SKY!
:)
The point is that blame ultimately lies with the user. No matter how safe Volvo makes a car, the person driving it still has to know how to drive, and the same holds true for computers.
I've done all the griping I can about Microsux, virus-writers, and software vendors. Now, I try to teach people how to use computers responsibly, by explaining what anti-virus, anti-spyware, and firewalls do and their importance. Knowledge is the key, not blaming others because of your ignorance.
do not click on ads
do not download unknown dangerous software
do not use p2p
do not visit unknown dangerous websites
do not give out any information
do not install software you will not use antivirus antispyware etc
do not open unknown email
do not open email attachments
do update system frequently
do use a hardware firewall
do download known software only from developers website
do use dodgeit for fake email addresses
There are probably many more...
But when it comes to software providers, many just shrug and defend the less than stellar QA these providers provide (and I don't just mean the big bad boyz from Redmond).
Why are people so soft on sloppy products when said products come from tech companies?
The point is that blame ultimately lies with the user. No matter how safe Volvo makes a car, the person driving it still has to know how to drive, and the same holds true for computers.
I've done all the griping I can about Microsux, virus-writers, and software vendors. Now, I try to teach people how to use computers responsibly, by explaining what anti-virus, anti-spyware, and firewalls do and their importance. Knowledge is the key, not blaming others because of your ignorance.
do not click on ads
do not download unknown dangerous software
do not use p2p
do not visit unknown dangerous websites
do not give out any information
do not install software you will not use antivirus antispyware etc
do not open unknown email
do not open email attachments
do update system frequently
do use a hardware firewall
do download known software only from developers website
do use dodgeit for fake email addresses
There are probably many more...
But when it comes to software providers, many just shrug and defend the less than stellar QA these providers provide (and I don't just mean the big bad boyz from Redmond).
Why are people so soft on sloppy products when said products come from tech companies?
Evidently, most of these other business users know how to take care of their business, or if something does goes wrong, they know how to correct it, instead of blaming someone else.
The problem is 100% the network admin folks that haven't been able to keep up with all the patches and replace their otherwise perfectly capable hardware that simply can't run the latest Microsoft OS because it's bloated to the point where it requires the latest CPU's just to run fast enough for somebody to check e-mail and type a document.
Sheesh
<a class="jive-link-external" href="http://www.drowning.com/images/boring.gif" target="_newWindow">http://www.drowning.com/images/boring.gif</a>
Evidently, most of these other business users know how to take care of their business, or if something does goes wrong, they know how to correct it, instead of blaming someone else.
The problem is 100% the network admin folks that haven't been able to keep up with all the patches and replace their otherwise perfectly capable hardware that simply can't run the latest Microsoft OS because it's bloated to the point where it requires the latest CPU's just to run fast enough for somebody to check e-mail and type a document.
Sheesh
<a class="jive-link-external" href="http://www.drowning.com/images/boring.gif" target="_newWindow">http://www.drowning.com/images/boring.gif</a>
1) First of all, most computer users use MS products because of standards set by their company (not by personal choice) or in the case of home users, options available to them
2) Keeping servers, clients, and software protected, and educating users, keeps most companies up & running (the company I've been with for the past 2.5 years has had less than a day of downtime becuase of our diligence)
3) Basic precautions will protect even the most daft home users. I put extremely little effort in protecting my home machine and have NEVER been hit in over 10 years of being connected to the 'Net because I run a software firewall (free), don't click everything in sight, don't believe everything I read in e-mail, etc.
I'm not saying MS doesn't have security issues; however, a little precaution and common sense go a long way and I (and apparently a lot of others in the computing world) are willing to jump through hoops to secure systems to take advantage of the products MS offers. It can be a crapshoot but if one and one's systems are prepared, the risk is mitigated.
1) First of all, most computer users use MS products because of standards set by their company (not by personal choice) or in the case of home users, options available to them
2) Keeping servers, clients, and software protected, and educating users, keeps most companies up & running (the company I've been with for the past 2.5 years has had less than a day of downtime becuase of our diligence)
3) Basic precautions will protect even the most daft home users. I put extremely little effort in protecting my home machine and have NEVER been hit in over 10 years of being connected to the 'Net because I run a software firewall (free), don't click everything in sight, don't believe everything I read in e-mail, etc.
I'm not saying MS doesn't have security issues; however, a little precaution and common sense go a long way and I (and apparently a lot of others in the computing world) are willing to jump through hoops to secure systems to take advantage of the products MS offers. It can be a crapshoot but if one and one's systems are prepared, the risk is mitigated.
'P.S. Carl Johnson'
'P.S. Carl Johnson'
I've been waiting a long time for a news article that talks about the real issue, the fault in the product, but every time it's always the same old story: just focus on the "hackers" and "virus" - probably a lot more attractive for the ignorant.
So comes down to marketing: Until everyone points the finger at Microsoft for the holes they leave wide open, they are only getting complaints from 1/3 of the more informed users... no incentive for them is it now?
I've been waiting a long time for a news article that talks about the real issue, the fault in the product, but every time it's always the same old story: just focus on the "hackers" and "virus" - probably a lot more attractive for the ignorant.
So comes down to marketing: Until everyone points the finger at Microsoft for the holes they leave wide open, they are only getting complaints from 1/3 of the more informed users... no incentive for them is it now?
People got burned because of their own fault!
Thats all I have to SAY!
People got burned because of their own fault!
Thats all I have to SAY!
One of the reasons many techs don't update servers and workstations is the fear that the updates will break other software or the OS itself. It is a founded fear. SP2 caused all kinds of problems with Windows XP. And before that I can remember getting updates for Windows 98 that caused driver errors, program errors, and even Windows errors. So even if Microsoft has gotten 110% better at delivering updates that don't break software the old saying of once bitten twice shy still rules the roost. Not to mention it can be hard to update several hundred or even thousands of computers. And the fear of breaking even a 1/3 of them can be enough to stop any tech.
It's unfortunate that flaws are out there in any product and it's unfortunate that people would try to take advantage of them, but this is part of life now. The only real fix is for people to become smarter users and lower the number of stupid things they do.
I, for one, would delay the onset of features for more solidity and stability, but most people are blinded by shiny new features that they will never use.
I want an OS that's as stable as my stereo receiver! The sad thing, other electronics are becoming more like computers than computers are becoming like other electronics. And cars running almost completely on software...holy hell.
Mister Winky
One of the reasons many techs don't update servers and workstations is the fear that the updates will break other software or the OS itself. It is a founded fear. SP2 caused all kinds of problems with Windows XP. And before that I can remember getting updates for Windows 98 that caused driver errors, program errors, and even Windows errors. So even if Microsoft has gotten 110% better at delivering updates that don't break software the old saying of once bitten twice shy still rules the roost. Not to mention it can be hard to update several hundred or even thousands of computers. And the fear of breaking even a 1/3 of them can be enough to stop any tech.
It's unfortunate that flaws are out there in any product and it's unfortunate that people would try to take advantage of them, but this is part of life now. The only real fix is for people to become smarter users and lower the number of stupid things they do.
I, for one, would delay the onset of features for more solidity and stability, but most people are blinded by shiny new features that they will never use.
I want an OS that's as stable as my stereo receiver! The sad thing, other electronics are becoming more like computers than computers are becoming like other electronics. And cars running almost completely on software...holy hell.
Mister Winky
Marc
www.PropertyTalk.com