We all know about the recent virus that is floating around, the W32.Blaster.Worm. Obviously, this worm was major threat–Symantec raised it from a level 3 to a level 4. You can’t help but read about it on sites like osnews.com or Slashdot.com. But I noticed that one thing that seems to be missing a lot of times, at least with this latest worm. People don’t want to take the responsibility for updating their computers when the update was available a month ago.I’m not here to defend Microsoft in any way. Their code does have bugs in it. Furthermore, no operating system is perfect. Granted, as of right now, Linux, Mac OS X, and Novell seem to have a lot fewer issues. But let’s consider that Microsoft is the current OS leader both on desktop and server. And as such, they are going to be the main target of hackers and virus writers. However, as Linux usage increases it will begin to be targeted more frequently. With Linux, it may take the hackers a little longer to find security holes but they will find them.
Getting back to my point, this new worm isn’t 100% Microsoft’s fault. Yes, did their code have a bug that could be exploited, you bet. As usual, it has to do with a buffer overrun. But, Microsoft did catch it and posted an update for it a month ago. The original notice was posted on July 16th, 2003. So I just have to ask the question, “What was everyone doing when Microsoft posted the update?” Microsoft isn’t just posting these updates for its own enjoyment, even though some times you have to wonder.
At some point, especially in the case of businesses, you need to hold the administrators accountable for making sure their equipment is up to date. I know that network administration means providing support for a whole host of systems. But I’m sorry, part of a administrator’s responsibility is security and that includes updating the various systems as needed. Except with the case of services packs, most Microsoft updates can applied without any issues. I have always maintained that service packs need to be tested before rolling them out. If you are not using the automatic update service on every machine, you can use solutions like SUS that can handle the updates for you with more control. Simply put, when an update is available and you didn’t install it, don’t blame Microsoft. I, for one, don’t want to get busted by my boss because of a virus or an attack that was preventable. That’s what I get paid to do, be proactive, so my systems don’t go down.
Home users are another issue. Obviously, the lack of knowledge about applying updates to a computer must be considered. But let’s face it, as annoying as it can be at times, the automatic update service can handle these issues with very little input from the user. Except of course when the user turns it off. In the end, it’s their responsibility to deal with new updates too. Sadly, most users don’t take the time to improve their knowledge of computer basics. Like it or not Microsoft has to consider this issue which is why the automatic update service was created.
Lastly, let’s consider this, if and when Linux usage increases and becomes as big as Microsoft or bigger. These same issues are still going to apply. Users both in business and at home are still going to need to do updates as they become available. The operating systems may change but the administrative responsibility is still there.
Karl J. Sak is a (responsible) System Administrator