ZDNet: ‘Code Red’: What went wrong?
The Internet was lucky this time, as this particular Code Red program squandered its advantage and left itself vulnerable to security measures. That will not always be the case, said Vern Paxson, staff computer scientist at the Lawrence Berkeley National Laboratory, who analyzed Code Red’s quick spread.
The Internet doesn’t need to be this insecure. We just don’t care enough to prevent the trouble.
One story this morning said only 10 percent of Microsoft Internet Information Server installations — the only ones this worm attacks — had bothered to install the patch. I can tell you one reason why more don’t. There are so many patches these days from Microsoft that it’s almost impossible to keep up with them.
And MIcrosoft’s architecture isn’t amenable to hot fixes that actually stick. I downloaded and installed the Microsoft patch, which told me at the end that it would need to be reinstalled if I ever made another patch to the operating system. Gee, thanks.
It’s always interesting to read the legal disclaimers. Here’s the one Microsoft puts at the end of its security postings:
The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Gives you the warm fuzzies, doesn’t it…