Visual Studio .Net: Now with more Viruses

News.com breaks the story (and 8000 readers submit) that Microsoft distributed Nimda-infected copies of Visual Studio .Net in Korea. I don't even know what to say here; nothing seems adequate, except to point out that "trustworthy computing" does not seem to have had any effect whatsoever. News.com just updated their story to point out that it probably won't infect the people who installed Visual Studio .Net, but it's still a rather nasty faux pas for a company that's supposed to be cleaning up its act.

People like viruses

[anthony_dipierro]

If Microsoft products weren't filled with bugs, they wouldn't be Microsoft, now would they? Microsoft is supposed to be a source for buggy virus-filled software. If they sanded off all the rough edges, their products would cease being products that I would want to use. Microsoft has been running its company for how many years now? If you don't like their products, don't buy them! Life is too damn short to worry about bugs in Microsoft software!

But this is Impossible!

he added, it's almost impossible to get the worm to execute on computers with Visual Studio .Net installed

How did this get infected in the first place?

Not entirely Microsoft's fault

[1000101]

The "third party" that translated the software into Korean had something to do with the problem.

Re:Not entirely Microsoft's fault

Umm... who's name is on the discs? Who's job is it to ensure their quality. Yeah. It's their fault.

Re:Not entirely Microsoft's fault

[Jason+Earl]

That's a load of hooey. Microsoft's customers didn't ask them to use a third party to translate the files, nor did they purchase the product from the third party. If Microsoft can't even handle the elementary security step of scanning the product for viruses before putting it on a CD, how do you even know that the mysterious third party isn't replacing important DLLs with DLLs that are functionally equivalent but have a hidden backdoor.

Clearly Microsoft isn't really checking these files. Which means that when Microsoft says "Trustworthy computing" what they are really saying is that you should trust them, and all of their "third party" allies despite the fact that they have a horrific track record.

Re:Not entirely Microsoft's fault

[chris_mahan]

[This post contains language you might find offensive]

Isn't Microsoft entirely in control of selecting the vendor (the translation/locatization company)?
Would Microsoft be liable if the translator had said: Fuck you and You Eat Dog Now in the manual? Of course.

Another silly analogy. My VW beetle was assembled in Mexico. Do you think VW says: "Oh, sorry, those damn mexicans screwed up?" when I have a problem with my car? No. They say: "We're sorry, and we'll fix it right away at no charge".

They don't even mention the outsanding factory workers south of our border. They just take it like men and deal with it responsibly.

That's why I prefer VW service over Microsoft's.

Give it a rest

Slashdot is rapidly becoming useless with the constant derision it heaps on Microsoft. Let's have more computer news and stuff about FreeBSD and Linux and less "make fun of" news about Microsoft. As if Linux doesn't have it's problems. You might end up like Larry Ellison and his ridiculous "Unbreakable" claims.

Of course, that's a problem with the Linux crowd. Feer of being, and being seen as, professional.

Re:Give it a rest

[namespan]

I don't know where to start.

Slashdot is rapidly becoming useless with the constant derision it heaps on Microsoft. Let's have more computer news and stuff about FreeBSD and Linux and less "make fun of" news about Microsoft.

Slashdot is hardly rapidly becoming useless. There is no lack of abundance of news about FreeBSD, Linux, Apache, Space, OS X, Wireless, and just about any other significant I/T and geeky topic.

And while Linux has its problems, and you may not share the editors views about Microsoft, there are two facts about Microsoft that are hard to ignore:

1) They are huge. Absolutely huge. They have a lot of influence in the I/T and software industry.
2) Sometimes their market presence and control gives them reputation beyond what's deserved.

You may not agree with #2, but consider: .NET barely exists right now. Their ads make it look like people are running serious production solutions on it right now. They claimed months back that Trustworthy Computing was their #1 priority. They just made a major gafe. They've ignored simple security problems for years because it suited them.

I wouldn't claim their technology is useless. It has its high points, a few better than open source alternatives. The problem is that it's all too easy to fall into "They're big, they're #1, so it must be the best" viewing of Microsoft. Most of us who bring up reports like this one do so because we've put up with far too much of that kind of reasoning.

As if Linux doesn't have it's problems. You might end up like Larry Ellison and his ridiculous "Unbreakable" claims.

Of course, that's a problem with the Linux crowd. Feer of being, and being seen as, professional.

Well, that wasn't anything like our petty digs at MS.

Do you mean afraid to make claims like Microsoft's "Trustworthy Computing" initiative and Oracle's "Unbreakable"? I don't see this as a problem in the open source world. OpenBSD is the only distro that comes close to making anything like an unbreakable claim, and it has history to back it up. We speak softly and upload running code. We release timely information about bugs, security holes, and patches. Cover ups are few. That's professional.

Of course, yet again, it's so easy to confuse "big" and "professional".

The Cost of Outsourcing

[Real+World+Stuff]

According to the Article, it appears that "Microsoft's flagship developer tools picked up the digital pest when a third-party company translated the program into Korean...".

Ultimately it was MS's responsibility to verify they did not shit in their own bed, but how many of us look at every line of code in a distibuted or outsourced project.

Just my $.0199999

Re:The Cost of Outsourcing

[coyote-san]

They can be expected to verify the ISO image.

Do you think they approved the disc without verifying all libraries, resources, etc., were present and properly named? (Okay, this *is* Microsoft but work with me here)

If we can expect them to perform that level of checking, why can't we expect them to run a virus checker at the same time?

Re:The Cost of Outsourcing

[Peyna]

* How many of us ship viruses with a state of the art costly development environment which will be used by thousands of developers ?

Ford Motor Co. ships(ed) thousands of cars that when rear ended with the left turn signal on would explode killing people.

Ford Motor Co. and Firestone shipped thousands of SUVs with faulty tires that would explode at high temperatures and rates of speed.

Funny how these things keep happening over and over again? Nimda isn't going to cost lives is the big difference here.

Outsourced translators

[Mundocani]

Aside from the Trustworthy Computing crap, what does this really say about the industry-wide practice of outsourcing product translations? Anybody who's done software development knows that even the best products give internationalization secondary consideration, but I don't think anybody ever considered how little consideration is given by US companies to the translation and distribution of international versions of software. Perhaps this should serve as a sort of larger wake-up call for all of us.

Just another reason to complain

[DrPascal]

If you actually read the article, there are very valid reasons (albeit mistakes) that this happened, and the likelyhood of the virus actually running on the machine is next to none. The Help system wouldn't ever open it.

But hey, this is Slashdot. Let's all miss the relevant parts of the article and just bash "M$"! Yay, fun.

Re:Just another reason to complain

[Jason+Earl]

You are missing the point. The problem isn't really that Microsoft is shipping a virus (although you have to admit that this is pretty darn funny). The problem is that Microsoft is shipping files that they don't know about. This file could have been anything.

Microsoft has set up their business so that their customers have to trust them. There is no way for Microsoft's customers to verify that Microsoft software is safe. Yet time and time again Microsoft has shown that they simply are not particularly trustworthy. It has gotten so bad that it isn't just /. that is laughing at Microsoft. This particular story was published by CNET (which is a very Microsoft-friendly news source).

A Security Hole is still a Security Hole

A lot of posts seem to revolve around "Who cares, it's an inert virus; it could happen to any [multi-billion dollar corporation outsourcing its flagship development product that claims to be working to eliminate any end-user paranoia from its product line]..."

But that's missing the point entirely. Seriously -- Nimda? What's that? People don't care about the statistics or logistics of the virus. No, people are concerned that a *known virus* was able to get into the code. Now ask yourself -- what if it was an unknown virus? What if a disgruntled contractor for the outsourced company snuck a new trojan horse in there? One that puts your MS Passport login info as a MIME header on whatever version of MSIE you're running?

This is a PR disaster of incredible proportions because it shows how naked the emperor still is, despite hiring new tailors.

Don't get me wrong, I make a lot of money off of writing Microsoft code. But the simple fact of the matter is that they're (supposed to be) going for "Trust" but their current habits are still hanging on "Hope".

Re:Slamming MS

[SirSlud]

I dont think anyone is going to excuse this just because MS was lucky that the chamber wasn't actually loaded. The trigger went off, and thats all the ammo I need to demand someone revoke the gun license.

As for outsourcing, this is absolutely ludicrous that companies neednt take accountability for the actions of their contractors. Thats how all the clothing manufacturers dodged the anti-sweatshop movement. Now Nike/Espirit/Adidas/Gap/Etc doesn't employ the sweatshop workers, they contract them! Brilliant, and insedious. While it may not be fair to compare that to the IT world, it shows the extreme consequences of allowing companies to divest accountability for services and products offered under their brand. If we dont hold MS accountable in the least, wheres the motivation for them to be more careful with their contractor selection skills? They will continue to select contracts based on politics and economics rather than on the quality of the service/product being outsourced.

I realize that its not *entirely* their fault, but it doesn't help with the kind of facade MS puts on. Just like Oracle's "unbreakable" claim, if you want to make claims that simply are not true or that you cant deliver on (I dont care if its your fault or not, you made the claim), you're never *ever* going to get the benifit of the doubt in this kind of situation. If you wanna make claims you cant back up, you dont deserve the benifit of the doubt. :)

It may be fun to bash Microsoft . . .

[Badgerman]

But a third party company screwed this baby up in transition, not M$. Using this as a "M$-is-so-evil/incompetent" story is pretty inappropriate.

There's many, many other reasons to dislike Microsoft. Taking one out of context only strengthen's Microsoft's hand and makes those who oppose Microsoft look petty.

Re:slashdot morons strike again

[grendel's+mom]

You should include yourself in the list of "slashdot morons" because YOU missed the point.

This significant issue is that they only check the files they *expect* to be in their distribution.

Before you ship code, you had better know *exactly* what you were shipping. What if the 3rd party localizers added a nice trojan program? It's *trivial* to execute code on a remote Windows machine. There are several exploitable holes to accomplish this.

The included virus is trivial. Microsoft's shoddy QA is the problem. Unfortunately, this isn't only a MS issue. It's an industry wide problem. // End rant

Re:Accident? Sounds like criminal negligence!

[chris_mahan]

But MSFT did do a check of the "package" before they shipped it off. So they should have caught it.

It's not that hard to say: scan all, including compressed files.

Inconsistent or sloppy?

[moocat2]

So, Microsoft only scans the files they expect to be part of the install but they ship all the files anyway. While there is no way from the outside to prove or disprove this statement, I think it's odd they aren't consistent in which files they choose to scan and which they choose to ship. A decent process would use a consistent way to manage it.

At a minimum, I find this an example of the sloppy techniques I see all over the industry. Of course, sloppiness is one of the reasons that all these viruses keep finding new ways to infect software so I think it's a pretty big slap in the face for MS's Trustworthy Computing program.

Re:Interestingly enough:

[Random+Feature]

It isn't a problem in the sense that it's going to cause damage, or infect anyone, but it is *damn* funny.

And it is a PR nightmare for MS because a lot of people aren't technical enough to understand what's necessary to become infected. All they hear is "shipped with Nimda" and it's bad news.