By Dawn Kawamoto, 19 August 2005 08:10
NEWS One-third of business users blame Microsoft for the recent worm outbreak, despite the company's security efforts, according to a poll.
Thirty-five per cent of respondents to an informal web survey of customers by security company Sophos said the software maker was ultimately at fault for the recent rash of worms spawned by variants of Zotob. In the poll results, released on Thursday, 45 per cent placed the blame squarely on the virus writers, while 20 per cent laid blame on their systems administrators for not patching systems fast enough.
Graham Cluley, Sophos senior technology consultant, said in a statement: "The majority of users believe that the virus writer has to take the ultimate blame for deliberately creating and unleashing this worm to wreak havoc on poorly protected business. But what is most surprising is that so many people blame Microsoft for having the software flaw in the first place."
Microsoft is not alone. Companies are increasingly calling on software developers to improve their security battle-testing of products before release.
A Microsoft representative said on Thursday: "No software is 100 per cent secure, and this is collectively being felt by the industry. Over the last year, Microsoft has made improvements with security."
The software giant, for example, has launched its Security Development Lifecycle, the representative said. The move modified Microsoft's software development process to improve the way it integrates security best practices from the start.
Microsoft has also seen security improvements with its Windows XP operating system and the Service Pack 2 update, analysts said.
In the most recent worm outbreak, malicious attackers began circulating variants of Zotob and other viruses that exploit a plug-and-play feature in some Windows versions. The onslaught came shortly after Microsoft's regular monthly patch release, which included a fix for the problem. The flaw allows remote attack in Windows 2000 and not Windows XP SP2, according to Microsoft.
Cluley said: "Microsoft is stuck between a rock and a hard place when it comes to vulnerabilities. When it goes public about its security holes, a virus can be written to exploit them and many businesses may not have rolled out the patch. If it kept quiet... everyone would ask why Microsoft hadn't warned anyone of the vulnerability."
Dawn Kawamoto writes for CNET News.com
Comments
There are 4 comments. Join the discussion
1. Mark Brasche
The solution for Microsoft is obvious. Build into the OS encryption that allows them to release patches that cannot be decompiled by virus authors.
2. anonymous
Of course, most encryption can "easily" be cracked by a determined attack by modern machines - [maybe a grid-based solution ]
But that's overcomplicating things. All a potential virus writer would need to do is
1) make a snapshot of the computer - files, registry keys, etc prior to installing the patch
2) make a snapshot again after installing it
3) compare and see which files / reg keys were changed.
4) examine the code of the 2 versions and work out where the hole is
5) exploit it.
The only way Microsoft could really control patching/ virus writers would be if everyone was to implement a thin-client solution with the OS held on machines in the care of Microsoft - so us end users would never be able to access anything - of course, this is unfeasible...
3. James Button
Mr? Burlingtons comment as CEO of Surfsafely.com shows such a lack of understanding of software, that I would not wish to incorporate any of their products or survices within my organisation.
Encryption of the fix is pointless as it has to be decrypted to be applied, and once the fix is applied to the OS, then the change can easily be detected and documented by an automated compare of the new, and old OS instances.
The only safe way to 'fix' an OS is to require the user to specifically authorise each change to the OS.
That requires the OS design and build to be robust and secure enough to NOT allow any unauthorised access -
in which case it wouldn't need any 'security' fixes.
As requiring specifically authorisation to install a change to each PC means no automated install, which will not please administrators of networks with hundreds, or even thousands of 'company' PC's.
We are basically back to
requireing the OS design and build to be robust and secure enough to NOT require security fixes.
4. Mackers
Well, if the software is weak - then maybe the prices need to come down - the ol' saying of "you get what you pay for"...
i wouldn't mind paying a ferrari tariff, if i actually got a ferrari out of it...