BBC Home
Explore the BBC
BBC News
Launch consoleBBC NEWS CHANNEL
Last Updated: Monday, 4 October, 2004, 10:20 GMT 11:20 UK
Kill or cure for PC problems
We should all keep our computers patched and up-to-date, but what happens when the cure breaks something else, asks technology analyst Bill Thompson.

Lightning strike, AP
Some users think lightning will strike them before viruses do
Few of us will be surprised to hear that the recently announced problem with the way Windows displays Jpeg images has been exploited by virus writers.

In the past few days, nasty pictures that attempt to infect computers have been distributed by instant messaging and posted to Usenet groups.

So far they are just prototypes that don't work properly. But it is only a matter of time before someone writes some code to sit inside an image file and infect other pictures and programs, spreading through e-mail or other channels.

And when it happens, millions of computers will be vulnerable because their users have not installed the latest version of the Windows GDI+ graphics system that is the root of the problem.

Online exposure

Of course the people building the malicious code aren't being especially clever.

Unlike "zero day" exploits, where virus writers discover a problem and get their virus out before any knows about it, the issue here has been exhaustively covered in the press.

The details of the bug are well-known, and there are even 'toolkits' for virus writers to use that do all the hard bits.

In fact, the virus writers are relying solely on the fact that there are a lot of people online who simply don't know or care about security, who will not have bothered to patch their Windows PC, and who are perfectly happy to click on links, open e-mail attachments or have online conversations with strangers.

Bill Thompson
Connecting to the internet is a social act, one that carries with it obligations, including an obligation to run a secure system.
It is hard not to conclude that exposed users get what they deserve.

After all, recent research into US computer users by the National Cyber Security Alliance found that one in three believed they had more chance of being struck by lightning than having their computers broken into.

Presumably these are the same people who believe that a guardian angel will come and sort out their hard drive after it's been trashed by a virus.

On the internet, however, there are serious consequences if millions of computers get infected.

The network slows down, vital data may be damaged, and many of the infected computers will be turned into zombies, used to send spam.

It is, as I've said before, socially irresponsible to leave your computer open to attack.

Diverse network

Even though I still believe that people should be more responsible with their net-connected computers, I'm starting to develop more sympathy with those who haven't patched after my own experience with Microsoft's Office Update.

I have two Windows computers at home, along with a Linux box and a Unix server sitting on a friend's network (my daughter has an iBook, so we're a cross-platform household). One runs Windows 2000, the other XP, and I've got Microsoft Office on both so I clearly had to patch my systems.

Unfortunately, before I could apply the security patch, I had to install service packs and other bits and pieces to bring my installations completely up-to-date. None of these was a critical security patch, but I couldn't proceed without them.

In the process Office Update also patched my copy of FrontPage 2002, the web editing software I use to manage a website I work on. And when I went back to the site to make some changes, it stopped working.

It seems that as part of the patching process, Microsoft had 'upgraded' my installation, and some of the active server pages I'd built for this site no longer worked.

Windows XP
Windows XP Service Pack 1
Windows Server 2003
Internet Explorer 6 SP1
Office XP SP3
Office 2003
Digital Image Pro 7.0
Digital Image Pro 9
Digital Image Suite 9
Greetings 2002
Picture It! 2002
Picture It! 7.0
Picture It! 9
Producer for PowerPoint
Project 2002 SP1
Project 2003
Visio 2002 SP2
Visio 2003
Visual Studio .NET 2002
Visual Studio .NET 2003
After some digging around I discovered that Microsoft wanted me to upgrade a lot of other stuff too, to bring everything up to the same level.

Fortunately I found an advice forum that told me how to turn the clock back by copying three critical configuration files into the right place, and I only wasted five hours sorting it all out.

As a result of this, I'll think twice about the next patch I'm asked to install, and I certainly won't be putting Windows XP SP2 on my box for a while yet.

The problem would be avoided if security patches were just that, and companies didn't try to sneak upgraded versions out by bundling them with critical fixes.

As a fair and balanced journalist, I would like to point out that this isn't all Microsoft's fault, and that other systems have vulnerabilities too.

The only problem is that much of it is Microsoft's fault, because it built its operating systems on top of a woefully inadequate model of computer security that was superseded 20 years ago in serious computing circles, and it has put ease of use before security in almost every product it has released.

MacOS X and Unix/Linux don't have so many problems because the central security features are better and applications respect the security model more. It's that simple.

Social networking

I was criticised by many readers for my suggestion, a few weeks ago, that net service firms should check whether customers' computers were properly secured before they let them connect to the wider net.

Stethoscope, Eyewire
Curing a PC can cause more problems
Some people assumed that this would mean only Windows machines could connect, which was certainly not my intention.

Many argued that they should be allowed to determine what programs run on their computer, and that attempts to limit their freedom were unacceptable.

It's a nice argument, but not very convincing.

First, they can only run the programs that their operating system supports, written for the processor they have, so the freedom is already limited - why not accept that their net supplier has some influence too?

Second, we should resist letting the selfish individualism that has done so much damage to our wider society wreak even more havoc on the net.

Connecting to the internet is a social act, one that carries with it obligations, including an obligation to run a secure system.

Despite the mess Microsoft made of my website, I'll still get the next security patch that comes my way from Windows Update.

Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.

The BBC is not responsible for the content of external internet sites


News Front Page | World | UK | England | Northern Ireland | Scotland | Wales | Politics
Business | Entertainment | Science/Nature | Technology | Health | Education
Have Your Say | Magazine | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific