By Will Sturgeon, 4 May 2004 17:45
NEWS The UK coastguard service lost the use of its computers and database-driven services for several hours after being hit by the Sasser virus - despite the fact a patch has been available for two weeks and further warnings from Microsoft were sent out last week.
As such the software giant says it is not to blame for this latest exploit of a vulnerability in its operating systems.
Coastguards were forced to revert to paper filing systems, telephones and other low-tech methods to keep the service going through the outage, though a statement from the Marine and Coastguard Agency said the virus wouldn't hinder the service's effectiveness as coastguards train for all eventualities, including loss of critical systems.
However, the Agency failed to return a call from silicon.com asking why a government-run public service, dealing with life or death rescues, had failed to apply a patch which had been available for two weeks on the Microsoft website.
The worm attacks vulnerabilities in Windows XP and 2000 operating systems. But Stuart Okin, UK security chief at Microsoft, said his company is not to blame even though it will doubtless be a target of criticism.
"This is the fault of the criminal who launched the attack," said Okin. "The blame lies squarely at the door of that individual."
However, he reminded those who would be quick to point the finger at Microsoft that the patch was available two weeks ago. "If users had applied the patch then they wouldn't be affected," he said.
"There are three simple steps users can take to ensure they survive such attacks," added Okin. "They can keep up with security updates, ensure they have anti-virus and the latest signature files and they have their firewall enabled. If users had done that they wouldn't have been infected by this virus."
The team behind the Netsky worm has already claimed responsibility for Sasser.
Comments
There are 23 comments. Join the discussion
1. Nick Hattingh
Perhaps the "government-run public service, dealing with life or death rescues" knows that applying patches can cause problems with other software.
If they had applied the patches without conducting any tests, and critical software failed to work, who would accept the blame then, Microsoft?
2. Steve M
The software giants response is not surprising and you can have a little sympathy with it but lets not forget it is sloppy development practices that repeatedly leave the OS vulnerable to attack in the first place. Isn't it about time they closed all the doors in the software before it is released and then they wouldn't need to issue security patches. Let's have some QA... wouldn't that be a refreshing change!
3. Dark Overlord
How many lives could have been lost through an organisation's failure to patch? I hope somebody gets a serious a$$ kicking for this! Lessons learnt? Too late!!
4. Matt
There are lots of issues here, such as being prudent etc. but when there is an attributable death that is the result of a virus in the UK will a warrant for an arrest for murder be issued? Would it deter a virus writer?
5. Guy Kirkwood
The sound of whining from an organisation too lazy to create secure software in the first place is like fingernails on a blackboard.
Perhaps it is now time for the regulators to force MS to go open source - or do what I do, use an operating system that is faster, more secure and with a zero learning curve - Windows 98SE with IE removed by 98lite.
Let's get off the upgrade cycle, it's wheels are obviously falling off.
6. Annoyed
It is MS's fault.
One of the patches that was released about 2 weeks ago caused a process called system to go to 100% on some machines, rendering them unusable. It took around 4 hours to remove. (Try googling for KB835732 system 100) I don't see an explanation from MS, so why would they expect people to continue to apply their patches?
In addition, dial-up users can spend several days collecting patches and service packs. The patches should be more carefully written, so that only the holes are patches rather than the "hole of IE6" for instance.
7. anonymous
MS is almost true.
While is true that MS cannot be blamed for 1) customers not applying patches and 2) people vritting worm and viruses exploiting vulnerabilities, I believe not all OSes are easy Windows to compromise.
8. anonymous
Let's be clear about this - if anyone's to blame it's the little b@stard who created the virus in the first place. Rest assured he'll be taking some delight in watching everyone blame each other for the mayhem he's caused. I only hope his balls drop soon.
9. Eddie Bleasdale
If a Bank manager failed to lock his bank and as a result people helped themselves to the Bank's money - the manager would be held responsible, sued and sacked. Similarly it is not acceptable that Microsoft denies responsibility for the growing number and increasing severity of attacks against its software.
Microsoft's approach to security is less than it should be. Until it is possible to run Microsoft computers where there is a clear distinction made between executable code and data - then viruses, worm and Trojans will be a problem that will continue to get worse.
Similarly Microsoft builds insecurity into its operating systems by integrating what should be application software, such as the Internet Explorer web browser and Windows media player, into the operating system. The result is that security problems that should be of little significance in an application become major security problems.
Linux is secure by design. Interfaces are published and checked to be secure.
The reason why Linux is free from viruses is because of the clear distinction made between executable code and data. Email attachments can not be executed unless they are first manually saved to a file, the file attributes are manually changed to make the file executable. The file then has to be manually loaded into memory and executed. If a user downloaded and executed code that harmed the computer then, because users work within protected 'sandboxes', only his file system would be damaged.
All IT professionals should now be exploring the issues of migrating to an IT infrastrucuture that is secure by design.
10. anonymous
Microsoft need to appreciate their software is just a tool for people to be able to do their job. The tool needs to work, just like any other. If you had a problem with any other sort of tool you would take it back to the supplier or manufacturer, not spend your own expensive time to fix it. Even if the manufacturer told you how to fix it, or supplied a replacement part the first time, if it happened again, you'd probably ask them to come & do it, or demand your money back. I'd certainly expect that response from any of our customers who had such problems with any of our systems.
Maybe there should be a policy of charging Microsoft for all the time spent downloading & installing patches etc? Also maybe the cost of any Anti-virus software/firewalls etc, required due to the faults, should be offset against the cost of the licenses?
Maybe Microsoft would start thinking more closely about the security aspects rather than the profits if everyone were to charge them for these additional costs?
11. Paul
Microsoft saying its not there fault is a bit of a contradiction in my opinion. Looking afetr 10+ servers I keep these machines upto date with the 'Online Windows Update', but this patch was not on the 'Critical list' so by default virtually any machine using this service would not have downloaded the patch.
Microsoft saying it fixed the issue and made a patch available is a bit of a lame excuse, if had just posted the patch into the correct area on the 'Online Windows Update area' then this most likely would not have affexted 50 to 70 % of business systems. Having to manually got to a site and then download the patch, \defaeats the whole object of what the 'Online Update Service' is there for.
Or maybe it was a mistake on MS's part not realizing the severity of this issue.
These are my thoughts at least
12. Fred Dibnah
I think this shows the competancy of some people in positions of IT responsibilty.
Use System Update Services to download all your patches automatically, it isnt that hard.
13. David J. Howe
Microsoft do have big ones...install the patch when it's already been reported that the patch is defective.
The claimed defense is to apply the patch against the LSASS vulnerability on Windows XP, Windows 2000, and Windows Server 2003 systems. (But, the patch is itself flawed, and can make some Windows 2000 machines to crash at startup; Microsoft has yet to deploy a patched patch.)
14. Shane Molloy
That is a fair point. They should be better protected. It would be nice if MS products were more secure, but the fact is that they're not. It took two enlongated outages before I could convince my company to buy Symantec but we have had no outbreak since. It's about responsible usage of the internet and unfortunately not having security in place is tantamount to aiding the virus writers.
15. Graham
Linux? Secure? Pah! I could pull that baby to pieces in minutes. The reason virii (?) are more prevalent on MS is that the virus writers also happen to be nerds who love linux with the irrational 'hate MS' chip on their shoulder. Anybody who has had to design an integrated multi-user platform with all necessary services for conducting business is not concerned with anything but speed of implementation and flexibility of design, security should be controlled as a day-to-day routine, checking ports, passwords and virus definitions. It also means that you can replace outgoing technicians with pretty much anyone, not some ubergeek who's spent years locked in a dark room getting acquainted with one of 600 different linux flavours. Not to mention the work MS do to integrate information and data from all wals of IT life without IT managers the world over having to worry. So they drop the ball a few times, who among us can say any software (of any size, not huge OS either) we have developed has worked right first time every time. Who even has the first inkling of how to develop flawlessly in the first place? Join the real world, chaps, and realise we all share the blame if things go wrong.
And breathe....
16. anonymous
So who is perfect?
I worry about the motives of vendors of incomplete AV solutions, initiators of virus (or worms) that install back doors, and people who attack Microsoft's clearly lacking developments.
Feel sorry for a site possibly brought down by an errant notebook brought onsite after a few weeks out of contact. Then think what your site has done to shrink the window of opportunity for these attacks.
17. Don
In respect of Linux ..Pha! it's also resonable to assume that Microsoft product installs worldwide make Linux istalls almost negligable, so odds are that virus writers will go for the biggest target and ignor the small fry.
18. Roger Boylett
I'm available from August if they need a good ICT Manager!
19. Fred Dibnah
If MS software was as secure as all Linux lovers says it should be I am sure another argument would start..
Linux_user01 - Microsoft are monopolising the security market because thier system is immune to every know virus threat and hack. HUGE courtcase ensues, MS fined another £300 million and forced to unbundle the super effective Anti Virus component of thier software
20. Paul Wilson
I can empathise with all the comments from Users/Company's and Microsoft. Unfortuantly in the industry, along with human nature, there is the belief of it will not happen to Me. But even the best intentions of Man and geek sometimes gets out of sync. Vigilance is the best option, plus American company's testing software and hardware before they release it on an unsuspecting public. Microsoft and other company's tend to release their wares with bugs in to get the product out and Iron out the creases at a later date, Plus what better environement to find out what don't work! LIVE testing. Not Just the Americans, all are as bad. If Microsoft and other company's waited till all the bugs and loopholes had been plugged and butted, it would not have been windows '98 or 2000, more like windows 2010 'ish. Virus writers and the like, are a pain, on the same par as the mugger and graffiti artist. They only exist to make life a missery, and enjoy defacing and spoiling society, and like all criminals, they keep people like us in a job, just like the criminal eliments keep the police active.
21. Mike Agius
This sort of response from Microsoft indicates flawed thinking by a flawed company with a flawed product. It is the responsibility of the company to get the product right. Where is caveat emptor implied in their marketing information or WEB site?
My customers' download their patches (as do we) and create fresh problems.
I bought a new computer running XP pro recently. After Win2000, a relatively stable OS, this was a huge shock. Explorer crashes frequently and I dutifully send the errors to Microsoft. Of the hundreds sent in the five months since I got this notebook I have not had a single response.
Thankfully, (for the sake of my sanity) I also program on MacOS X (a rock steady OS with superb support ) using JBuilder X and other excellent Borland products. In fact of all the other tools I use (PalmOS (also very well supported), MySQL, C++ Builder, Wireless J2ME, J2SE etc), Microsoft's are of the poorest quality.
Here's an example. Today I needed to search all the Java files on a drive, to locate those containing the word "account'. Off goes the sniffing dog, but he has no sense of smell. I tried repeatedly, but to no avail, so, to do the job right, I downloaded Wingrep.
As a small software development company, we expend an extraordinary amount of effort getting our product functionally correct.
Is it too much to expect Microsoft to get their product right, then add the dumb frills, natty graphics and slick marketing?
22. anonymous
I use both Linux and Windows. I prefer Linux as I dont have virii infections and have loads of tools and applications that can do the job. I can also find an answer pretty fast. I have had to recently stop using Ms KB website because I think it is shite. I get most of my info from google or other forum sites.
People who discount Linux dont know it. Try it and then post again. If Fred Dibnah did auto update on a productions server in a server farm and it BSOD the server how long is he going to be working. You will be back at sweeping chimney wondering what you did wrong.
23. cdragon
Well I 'upgraded' two of my systems with the latest greatest service packs and patches from the Microsoft web site last night. I thought it was some hardware problem the first time so I proceeded to 'upgrade' my second box. Now I have two totally useless systems that continually reboot in any mode without getting to the log in screens. Thanks Microsoft! Your patches are worse than the virus!! At least with the virus I could boot into safe mode!! I'll be installing Linux tonight. I'm sick of this shoddy endless cycle of buggy upgrades.