I'm not sure whether to chuckle or feel disturbed. My uncertainty arose when I learned that a new worm that spreads itself the same way the VBS.Loveletter worm did only 6 weeks ago struck Microsoft, Visa International, and other businesses this past Monday. VBS.Loveletter spreads by sending a copy of itself to everyone listed in an Outlook address book. Because VBS.Loveletter spread to so many computer systems so fast, Microsoft took the unprecedented step of creating an Outlook Security Update that actually eliminates a lot of the interoperability that Microsoft worked so hard to put into Outlook in the first place.
Here we are 6 weeks later, and another worm with the same general characteristics as VBS.Loveletter is seriously affecting businesses. That's why a tiny part of me wants to laugh: Once again, Microsoft didn't eat its own dog food. The company didn't load the Outlook Security Update and paid the price for that decision through the pains of an email system that remained crippled for much of Monday.
Why didn't Microsoft load its own security update? What activities or product functionality at Microsoft take precedence over security? The company had the Outlook update before everyone else but didn't mandate its use across the board inhouse. Why?
The fact that a vendor such as Microsoft doesn't use its own security patches is bad enough, but what about Visa International? Is it OK that a giant company such as Visa doesn't adequately protect itself against intrusion? Visa carries and manages a significant portion of the world's private debt, yet it failed to make sound decisions with regard to the security of systems that hold personal financial records.
Visa investigates anyone wanting credit to ensure the person isn't too large a financial risk. But where is the reciprocal check and balance against Visa? What mandate insists that Visa, or any financial institution, demonstrate competence with information security before they're allowed to obtain personal information for internal use? I suspect no such mandate exists; otherwise, this recent worm infection would not have happened. The affected companies are fortunate that the worm was not malicious this time around.
Keep in mind that Microsoft and Visa are two of the world's largest players with regard to e-commerce payment-standards development. They intend to shape the way you do business online. But if Microsoft wants consumers to trust its OS to the point where they accept an increasing number of devices with embedded Microsoft technology, then the company must take security much more seriously. And likewise, if businesses such as Visa expect consumers to embrace their e-commerce solutions and storefront technologies, they must get better control over their security policies and procedures. These companies can't expect us to trust them when they don't consistently keep their networks safe from intrusion. Until next time, have a great week.