Helping people with computers... one answer at a time.

The Zotob worm recently brought down computers at several large corporations. Who should share in the blame?

Listen to the podcast: Zotob Attacks! Who's to blame?.

Transcript

This is Leo Notenboom with news, commentary and answers to some of the many questions I get at askleo.info.

Last week, as it does regularly, Microsoft released patches to several vulnerabilities in various versions of Windows. Then, hot on the heels of that announcement, this weekend we heard of massive computer crashes at several large organizations due to a recent virus by the name of "Zotob". (Where *do* they get those names.) The virus and the crashes apparently affected only machines running Windows 2000. Windows XP users had no problems.

So a few large corporations suffered an outage - who gets the blame?

Well, a lot of people will of course blame Microsoft for writing buggy software. But the fact is that there is simply no such thing as bug-free software. Given that this bug took five or more years to detect, it seems practical that the operating system would have shipped with it.

A lot of people will blame the virus writers for their deeds, and I sure can't disagree there. Even if there's a huge, gaping, obvious security hole, taking advantage of it for the purpose of causing others' harm is not only illegal, but unethical and immoral.

But I think that there's another group that needs to share some of the blame, and that's the people at each of the affected corporations responsible for their computers. The people who did not push out the security patches as soon as they became available. If they'd done that, there wouldn't have been an issue for their organizations.

For better or for worse, security patches and updates are now a regular occurrence. In fact, so regular that Microsoft even schedules the releases - if it's Wednesday, it must be patch day. By now there's no reason for IT departments not to know this, and even anticipate it. There's no reason not to have patches deployed within 24 hours of their availability, especially when you know they're coming.

And especially since you also know that as soon as the vulnerabilities are publicized, new viruses ready to exploit unpatched machines are right behind them.

I have several links to related items in the show notes for this podcast - visit askleo.info, and enter 9056 in the go to article number box. Leave a comment - let me know what you think, I'd love to hear from you.

This is a presentation of askleo.info, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems. New questions and answers are added daily.

That's askleo.info.

Article C2406 - August 17, 2005 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
Dave
August 18, 2005 7:54 AM

Leo,

As usual, great informative podcast. One point I'd like to bring up is that even though IT folks know about the release of Microsoft Hotfixes, deploying them quickly is not always as easy as it sounds.

Due to Microsoft's track record, I'm sure many companies download them right away, but have to take some time to test the patches against "standard builds" (both server and workstation) to be sure that it doesn't break anything else first. Fixing one problem has, at times, introduced others.

Then there's the matter of setting deployment and making sure that the package provided by Microsoft can easily be rolled out to the user base by a given deployment mechanism (Zenworks, SMS, etc). Then depending on the size of the organization, these files/jobs have to be staged and scheduled.

And don't forget the politics involved in larger corporations; Change Approvals, Line of Business (LOB) sign off, etc. Sometimes it amazes me how ANYTHING gets done at all... let alone within 24 hours.

Leo
August 18, 2005 9:25 AM

Good points Dave. You're quite right about the first one ... compatability testing is indeed an important part of the equation that I skipped.

As for deplying, that's simply technology. I don't mean to sound trite, but really, it's just about copying bits to lots of machines, and there are several solutions. If *that* is the bottleneck, then it's the wrong solution for your organization.

I suspect that more often than not the real problem is the politics and unneeded red tape ... and that's my real concern. The Zotob attacks are an example that IT managers should be using to justify cutting through that, if that was their problem.

Ben
August 18, 2005 1:57 PM

Leo,
I appreciate the intended fairness of your podcast, but I found the IT-folks-should-get-the-patches-out-sooner thesis naive. Corporate IT folks can't deploy software, especially OS patches, without first regression testing them in conjunction with the corporate suite of applications. Depending on how many versions of Windows they support, as well as how many corporate applications they have, this level of regression testing adds days or weeks, certainly not 24-hours. And we're not even considering the problems incurred with auto-pushing out updates to 1000's of machines i.e. one is guaranteed to have the auto-pushed update fail on some small % machines, perhaps even crashing them lovely to come into work in the AM to find a blue-screen courtesy of an IT auto-pushed patch.

If you're looking towards IT to share the blame on virus propagation, how about corporate IT's role in recommending homogenous computing environments? Darwin showed us how homogenous solutions are an anathema in the real world a virus would wipe out an entire species if it weren't for diversification. Similarly in IT, a heterogeneous mix of MS and non-MS solutions would ensure that at least some machines would be unaffected by any given virus attack. In other words, should IT be promoting some reasonable level of diversification (through standards) to reduce the impact and spread of virii?

Larry Griffin
August 19, 2005 6:40 AM

I am not an IT professional but as an seasoned user of Microsoft products I have been the victim of "patches" on several occasions. How can you blame IT pros for not immediately deploying a "fix" when the past has shown them that the medicine is often worst than virus.

Jeffery McLean
August 19, 2005 7:25 AM

You've listed three blameworthy sources. I do think Microsoft should share some of the blame.

However I think not only should the companys who got infected share the blame they should be the first to blame.

Protecting the servers is the IT departments job. It isn't Microsofts job and it certenly isn't the virus writers job.
Adding a patch isn't the only way to guard the servers. Worms are restricted to attacking one port (the port where the defective feature is active) if you can't add the patch quickly block the port with a firewall. Everyone should have one.

Blamming the company has a part 1 and 2. The IT department that didn't take action and the person who didn't fire the IT department for not taking action.

Exactly how much responsability belongs to the IT and how much to the person who didn't fire the IT depends on how the company is structured and just how much control the IT departent has.

Next is the virus writer.
How nice that they are now waiting untill a patch comes out.
Or maybe they are just getting lazy.
Actually both in my opinion.

Of course we wouldn't need to worry about patching bugs if people didn't go around exployting them. But they do so we do.
Also we wouldn't have to look for bugs if thies people didn't look for them themselfs.
Just becouse it took Microsoft years to find it dosen't mean it'll take virus writers as long.

But thies days they aren't trying. Microsoft finds and fixes a bug and an evil programmers knows a bunch of companys won't be downloading the patch in time.
Pritty dang easy.

Lastly Microsoft.
True enough no operating system is bug free. Seems every day a new Linux bug is found and fixed.

However instead of sitting down and fixing bugs Microsoft adds new features (and new bugs). This is part of why it took so long for Microsoft to even find this bug.

The classic Windows design (I'm talking the now obsoleted Win 1,2,3 95/98 system) was poorly designed and contributed to huge design flaws.
The NT legacy is a far better design and should be far easier to maintain.

I've heard storys about Micrsofts develupment cycle. Nightmarish. However Microsoft has sense revised this plan and I think I heard they even have a team dedicated to the job of finding and fixing bugs. If not they will it's a logical move.

Microsoft is to blame. They aren't offically owning up to it but they are taking charge where it really matters.
I think you'll find thies attacks happening less and less over time.

Still I'd like it if Microsoft would also admit as you have that ultimatly it's the IT departments job to protect the servers and not rely on security patches to make that happen.
There are many tools available to IT profesionals and home users to secure Windows boxes. There is no reason to rely on Microsofts security patches as a first line of defense.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.