[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 17 September, 2004, 14:51 GMT 15:51 UK
Taking computer insecurity seriously
The latest flaw in Windows code means it is not safe to surf, says technology commentator Bill Thompson.

Hand on mouse
Millions of Windows users at risk from the flaw
It used to be assumed that you couldn't get infected by a virus just by looking at an image on your screen, because programs that display images don't treat the bits that make them up as code.

Tales of infectious images were just horror stories to scare new users with.

Two years ago anti-virus company McAfee got into trouble for claiming that the W32/Perrun virus could infect image files, when in fact it required a separate piece of viral code in order to spread.

But now Microsoft has released details of a major problem the GDI+ graphics system which has turned the story into a rather unpleasant reality.

As a result, millions of net users could find their machines compromised just because they visit the wrong website or look at the wrong e-mail, since a carefully constructed Jpeg image file could be carrying a virus which will infect them.

Spread the message

Microsoft, like any other software company that discovers a major security flaw, faced a serious dilemma when it was told of the problem.

It could have kept quiet, fixed the bug and started to distribute new versions of the programs involved, hoping that nobody else would spot the error or write a virus to exploit it.

Bill Thompson
Public education doesn't seem to be working, so perhaps the solution lies in sanctions

Although the news would eventually leak out, they might reduce the number of exposed systems by the time it does so.

Or they could come clean, publicise the problem as widely as possible and encourage everyone to patch their systems.

Wisely, it chose the latter course. Keeping quiet about such things doesn't work, and there is never any guarantee that the flaw has not already been discovered and exploited.

Unfortunately we know that that many people will disregard the message, giving the virus writers a great opportunity to exploit a brand new security hole, assuming that it hasn't been known and used for ages.

It's hard to feel any sympathy for the software industry, when they let so much bug-ridden code get onto our computers. And the fact that this latest problem involves our good old friend, the buffer overflow - where a program reads some data but doesn't properly check that it isn't getting too much at a time - is deeply depressing.

Writing code that checks the data it is reading isn't hard, and many modern programming languages do it automatically. Microsoft deserves to be embarrassed for letting this sort of thing happen, and in a relatively new part of the Windows system.

No protection

The real danger here is not that a new, crippling virus will suddenly spread over the internet, damaging computers and clogging up the network.

Microsoft boss Bill Gates
Blow for Microsoft's efforts on computer security
It is that a stealth virus will infect millions of machines and install backdoor software that turns them into "zombies", that can be used to distribute spam or carry out attacks on commercial websites.

Things are made much worse because the GDI+ system is used in many different places and by different programs, so that the process of fixing a computer can be quite complicated and involve several steps - it isn't just a matter of using the Windows Update and applying a patch.

That will deter lots of people from bothering, and leave a lot of vulnerable computers on the network.

We need to do something about this, if only for selfish reasons.

For while we shouldn't exempt the computing industry from its share of blame, it is clear that everyone with an Internet-connected computer has a general responsibility to the network as a whole.

Just as we advocate vaccination against major diseases so that communities develop what is called "herd immunity", so we need to reduce the number of vulnerable machines to the point where viruses and worms do not spread.

Public education doesn't seem to be working, so perhaps the solution lies in sanctions.

At the moment those who fail to update their systems or protect them from viruses can still get online and use internet services. We could, however, make life a lot harder for these anti-social types.

Secure machines

Both Cisco, which makes much of the hardware that underpins today's internet, and Microsoft, are working on what they call end to end security architectures as a way of securing business networks.

RJ45 cables
Should people be stopped from going online with protection?
When a computer tries to connect to a protected network, it first has to verify that it complies with that network's security standards. It's a bit like having a swipe card to get into a protected area of a building.

If the computer doesn't conform then it is only able to connect to a single server, one which provides the patches and security software it needs.

If internet service providers set up a similar system for their customers then anyone who has a virus or other malware would find themselves unable to connect to the wider internet until they had sorted it out.

The security check could even look to see if anti-virus software or a firewall were in use, and refuse to connect any unprotected machines.

Many would complain at first, but the benefits to the net community as a whole would be so great that it would be worth it. We would have less spam, fewer viruses and a safer online world.

We hear a lot about environmentalism and corporate social responsibility, with many businesses boasting of how they protect the natural world.

But if we're going to live in a digital world, then we need to take our responsibilities to the online environment seriously too.

Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.


The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific