[WEB4LIB] RE: Two interesting articles dealing with viruses and I

Andrew Mutch amutch at waterford.lib.mi.us
Wed Oct 3 11:43:26 EDT 2001 

Bill,

I think the problem with this line of argument is that it places the onus of
security squarely on the end user. Considering the number of libraries and other
institutions where there are tech people who should have known better and were
still taken down by Nimda, I think it is unreasonable to expect end-users to be
left to fend for themselves. I'm sure that most of us have worked with end-users
whether they be staff or the public or friends and family.  Do you really expect
them to be constantly updating and upgrading, even if they should?

It also ignores the real issue which is that too many of Microsoft's products
use security models that are insecure.  There is no excuse for having a server
product that allows an untrusted download to take control of the operating
system. That's unacceptable.  The same is true of the browser (IE) and the mail
client (Outlook) being able to do the same to the operating system of a PC.
Unfortunately, Microsoft has sacrificed security in favor of integration and
ease-of-use.  Virus software is only a band-aid on this problem and no guarantee
that the next SirCam or Nimda isn't going to get past it, even if it is
updated.

The real fix for this problem is for Microsoft to start taking security as
seriously as it does the look-and-feel of their products.  We can slap all of
the security tools in the world on our servers and our desktops but as long as
the underlying OS and applications allow the potential for exploitation, there's
always going to be the virus writer who is going to find a way around those
measures.

Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI


"Drew, Bill" wrote:

> The article about Outlook has a core of truth to it.  The problem is it does
> not mention the fact that groups using Outlook with the Exchange server can
> use virus protection software on it.  It does mention that if websites had
> updated the security fixes put out by Microsoft the spread of the virus
> would not have been so bad.
>
> Users must take some responsibility in this latest incident.  Banning
> Outlook is short sighted if not impossible to do. Teach users not to
> download files even when a webpage says they should.  Users must have the
> sense not to open attachments such as the Nimda one.  Above all, I think
> Microsoft ought to look into revoking the licenses of those that do not
> update their server software when security fixes are so easy to get.  There
> must be a way they could do that.
>
> Bill Drew

More information about the Web4lib mailing list