Microsoft V Hackers: Who Is Really At Fault?

[Waychel]

Why are Microsoft's programs so insecure and why don't they do anything about it?

I got infected by a virus recently that is an auto-executing vb script that propagates itself all over your computer, using up your resources while also inserting itself into documents to spread itself to other computers. I was able to patch the hole in IE and remove the virus, but now I have over 5,000 documents infected with this giant block of the code.

This is just another reason why I refuse to use most Microsoft products. If the programs I use for work and other things weren't exclusive to Windows, I wouldn't even be running that. I don't hate Microsoft because they're a monopoly or any of the other reasons that people usually hate the company for; I hate them because they're supposed to be a professional company, and yet they release insecure and unstable products that are wide open to attacks such as this.

I think for all the damages that are caused by viruses, worms, etc. to businesses, that Microsoft should be held accountable for their gross negligence in allowing their programs to have such blatant security holes in the first place. I mean really, no internet browser should automatically execute ANYTHING from a website - yet you know the reason this hole existed in the first place, is so that Microsoft could have you automatically download stuff from them.

They don't seem to care at all whether something is potentially exploitable or not. They are nearly as at fault IMO as the very people who write this crap. -_-

[Evios]

... http://windowsupdate.microsoft.com/

So... there are thousands of patches ready for download on their website. It's impossible, if you've ever programmed something even a 10th the size of windows to clear out every bug. Just doesn't happen, your product would never be released.

I fail to see why you not updating windows, and running a virus scanner has anything to do with Microsoft. If you got it through the exploit that was announced on worldwide news for about two weeks strong... every broadcast including the notice, "please go to Microsofts website for information and downloads on patching and fixing the exploit found in some version of Windows", then... well, sorry for you, should have listened.

You believe that MS was the only company wanting the ability to execute things from the browser? Mmmk.

It's odd, I've yet to get a virus in the 12 years I've been working with computers... and it's not from a lack of downloading, just maybe common sense.

[Waychel]

I do keep my Windows updated and this is actually the first time I have gotten infected by a virus. =P The problem was my version of IE wasn't the most recent.

Also, its pretty naive to make a browser that will AUTOMATICALLY download and execute off a website, because the chances of that being compromised or exploited in some way are pretty high.

Microsoft doesn't make secure products, but what's upsetting to me is that they aren't taking any measures to correct or improve upon this. I mean for one thing, it seems to be acceptable that viruses are such an issue, when they shouldn't be.

If Microsoft cared, they could rework Windows right now to eliminate the possibility of viruses. Viruses rely on exploiting back doors in the way Windows applications work in correlation with the operating system itself. With unix-based operating systems, applications are isolated from the kernel, so there's no way for a virus to work its way from an application to the operating system. But instead, Microsoft would rather release numerous versions of Windows with different interfaces touted as "updates" as every single one contains the same blatant vulnerability.

Why can't they stop the problem at the source, instead of waiting for the next virus to come along and then releasing a "patch" several weeks later after everyone has been affected? They're not doing anywhere near as much as they could, or should.

[xm.bretton]

the browser wont automatically download anything unless you give it permission in the settings.

always go through those beforehand.

[xm.bretton]

and do you go and sue the doctor when you get sick?

some things are inevitable.. computers will get sick sometimes.

[Waychel]

Obviously I have told Internet Explorer not to download things automatically. :P Internet Explorer used to automatically execute VB code accessed on websites though which was just gross negligence on Microsoft's part to allow. There was no excuse for it - just as there is no excuse for Windows to be as vulnerable as it is in the first place.

I cannot sue my doctor if I become sick, but your comparison isn't analogous with this argument at all, so I fail to see the point.

[castille]

Linux!

Use Linux. Or Apple.

Seriously. You can't blame Microsoft for everything. I agree they've lost their vision since Bill Gates founded it from his garage, but if you dont like it, try the alternative.

Most of my friends enjoy Linux or Apple Mac, and I for some reason refuse to upgrade (using Windows 95 since 1998, and theres no way I'm paying another $800 for some new crap).

[fedfem]

I agree, Castille, Linux is the way to go. I use both personally, Windows and Linux.

[Waychel]

I use Slackware Linux normally, but I cannot use Linux for business, which is my dilemma. Everything I use for work is Windows exclusive and Wine can't emulate everything. That, and I can't trust it to run some things regardless.

That is the point of my argument, that Microsoft's negligence affects business to such a degree. :\

[fedfem]

Most large businesses and Universities and such run on Unix. Throughout the world it is about 50/50. It is the smaller businesses that are slaves to MS. Linux can do anything MS products can, without the bells and whistles of course. Most of Europe is using Unix based products and Linux is becoming the platform of choice for PCers slowly but surely.

[Waychel]

I think the main problem is that the government uses Windows (...), and because the government uses Windows, courthouses are recquired to; so many of the programs both courts and practices use are made exclusively for Windows as the practices are expected to use Windows, too. They don't even make stuff for Mac anymore, so there's little room for air..

[fedfem]

Many of the Gov systems are Unix as well, but yes, the courts for the most part are MS. It is frustrating.

[Geoff332]

</span><blockquote><span class="smallfont">Quote:</span><hr size="1" />Originally Posted by
I cannot sue my doctor if I become sick<hr size="1" /></blockquote><span class='postcolor'>If you become sick because the doctor was negligent, then you can sue them. That is, perhaps, the most apt analogy.

[The Devil]

Ever heard of VMWare? Run a virtual machine on Linux, and all is well. I can supply you with the means to get it ;p

Anyone who claims that viruses are normal and "computers sometimes getting sick" is normal needs their skull to be bashed in with a blunt object... preferably the physical manifestation of the Linux kernel. That's obsolete thinking. I don't have to worry about my computer "getting sick". Why is that, you ask? Because I boot Linux and BSD.

When was the last time the Half-Life 2 source was compromised because of an IE bug on an open source platform? When was the last time there was a Blaster worm on an open source platform? When was the last time an open source platform was deliberately designed to make sure you're not breaking US laws, even if you happen to live in a less draconian country?

[Gwala]

</span><blockquote><span class="smallfont">Quote:</span><hr size="1" />Originally Posted by
there are thousands of patches ready for download on their website<hr size="1" /></blockquote><span class='postcolor'>

Ahuh, and you dont look at that and say 'hey, there are THOUSANDS of patches, maybe we should help the user update them every ten nano-seconds when another fault exists'. I am a programmer, I am also a proffessional security analysist (read: whitehat).

Microsoft IS negligent, would you like to know why these problem's exist? buffer overflow's are the result of poor programming, believe it or not, if you send a dynamically-sized variable, into a fixed sized one, then you really wonder what you were trying to do when you set it to be fixed in the first place.

Take a look at linux, it generally suffer's from less of these incursions for two reasons I can think of:
1) Linux programmer's tend to look for peer acceptance of their code, thus check it, and try make it as well written as possible
2) Code is then reviewed before endering the Kernel

Then look at microsoft programmer's:
1) I'm being paid to write this, not to write it well
2) My boss isnt going to check this.

Thus you have a clear divide that could be called negligence. Consider a comparison with the car industry, if say GM didnt crash-test their vehicles, and thouroughly test them, they would be negligent, why should the software industry be any different, when we have nuclear reactor's running on WinNT (which incidentally was the cause of that major blackout)

...

-Gwala

microsoft realises that everyone buys its crap anyway so theyre too lazy to test it

[node]

I think nothing is perfect.....so, we can't microsoft to solve anything, some people out there will try to hack microsoft no matter what........;)

[Paavo]

the code is sloppy, there's no way around that...I mean come on.
It is microsoft's fault. It's true that people will try and hack microsoft's stuff anyway, but that doesn't mean they could not've done a better job preventing it. Some problems with windows are ridiculous.

[castille]

If you dont like it use Apple or Linux.

They're on the market, plenty of software for both. In fact both have excellent word processing software and internet software. Unless you are obssessed with playing for-Windows games...

[Waychel]

As I said multiple times, many programs I use for work are Windows exclusive, such as CAPS and TopForm.