Opinion: Windows Worm Should Never Have Been a Problem

More than a month ago, Microsoft issued a critical security update exhorting users to install a patch that fixed a security vulnerability that the company said, at the time, had yet to be exploited. Microsoft made the patch available through AutoUpdate, Windows Update, the company's public Web site, and its security email newsletters. Security experts at "Windows & .NET Magazine" and elsewhere practically begged readers to install the patch. I received a copy of an email message that "Windows & .NET Magazine" Senior Editor Mark Minasi sent to tens of thousands of readers, noting that installation of the patch was an immediate priority for all Windows administrators. The US Department of Homeland Security even got involved, warning not once, but twice, that Windows users should install the patch that Microsoft issued in early July; news media around the world widely publicized the second warning.
   And yet this week, when the Johnny-come-lately MSBlast worm struck this very vulnerability, seeking unprotected computers around the world, systems began to fall like so many playing cards. A close friend of mine who is a Microsoft SQL Server administrator wrote to me yesterday about this problem, citing similar concerns that he voiced when the SQL Slammer worm hit last year. "Every time one of these new viruses comes out, someone in my company sends a frantic email about it," he wrote. "The systems people always respond that they updated all the systems a long time ago and that, anyway, the virus won't get through our firewall or our virus software. Then I hear about companies like \[automaker\] BMW \[which was affected by the MSBlast worm\]. A company that size, with the resources it has, being affected by a virus that was fixed by a patch issued a month ago? Someone should be fired for that."
   I spend a lot of time speaking with systems administrators, and I take a rather hard stance on installing security patches. I find it amazing that my stance divides readers, however. I received an interesting email message yesterday from a systems administrator who asked me to back off and cut administrators a break. They're overworked and underappreciated, after all. We're all overworked and underappreciated but, love it or not, keeping systems secure is part of the administrator's job. The same friend I mentioned above was shocked to learn last year that many of the SQL Server systems that the SQL Slammer worm infected had been left unprotected because the relevant Microsoft patch--made available months before the worm hit--was "too difficult" to install. And he's right. That excuse is ridiculous.
   We can and do expend a lot of energy berating Microsoft when we think the company doesn't do a good job. And as an advocate of the people who use Microsoft software, I've given some rather impassioned presentations to various representatives of the company. Certainly, security is one area in which the company needs improvement. But let's be honest for a moment. Isn't Microsoft doing a credible job trying to make security job number one? Aside from creating software that doesn't have any security vulnerabilities (which I think we all agree is impossible), what else could the company have done to make this patch more available to customers--send Microsoft employees to your company to install the patch while you were at lunch?
   I get email messages from end users who complain that slow dial-up connections make Windows Update unusable. The sheer number of Microsoft security patches makes administration almost impossible, and the fact that many Microsoft fixes require a server reboot is unacceptable, administrators say. These points are valid, and they make life more difficult for anyone who attempts to patch Windows systems. The company is working to streamline patch management, and life will be better after that happens, but in the end, administrators are responsible for keeping their systems safe and up-to-date, regardless of how easy or difficult that task is. And, frankly, anyone who spends any amount of time on the Internet also should take a little responsibility for his or her own safety. We wear seatbelts when we drive, and we look both ways before we cross the street. The Internet is an equally dangerous place. Maybe it's time we all accept that fact and stop blaming Microsoft for our own mistakes.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.