Visual Studio .Net: Now with more Viruses

News.com breaks the story (and 8000 readers submit) that Microsoft distributed Nimda-infected copies of Visual Studio .Net in Korea. I don't even know what to say here; nothing seems adequate, except to point out that "trustworthy computing" does not seem to have had any effect whatsoever. News.com just updated their story to point out that it probably won't infect the people who installed Visual Studio .Net, but it's still a rather nasty faux pas for a company that's supposed to be cleaning up its act.

So....

[Jacer]

Did McAfee or Norton give this press release?

they should sort of borrow oracle's motto.

[overbom]

"breakable"

or maybe that doesn't quite say it. Hmmm, what am I trying to get at.

"trivially breakable"

It only infects one file that's never referenced by the system, and there are all sorts of unlikelihoods that prevent this from being executed. Still, bad press is bad press. :-)

Sue 'em

[frovingslosh]

The guy who wrote that virus should sue Microsoft for distributing it without his permission. We're talking about theft of intellectual property here!

It's a feature!

[gatekeep]

Hell, nimda is a better feature than that stupid paperclip thing!

Microsoft should be applauded for this

[Saint+Aardvark]

They...um...made sure that it was a quality worm that went out the door.

None of your shoddy open-source crap here, no sir!

Re:Microsoft should be applauded for this

[Amazing+Quantum+Man]

I hope that worm wasn't GPL'ed!

After all, that would mean that MS would have to distribute the source to VS.NET!

Hey... now there's an idea :-)

virus??

[hikeran]

I'ts not a virus/spyware.. it's a feature that enhances your web experience.

A great new marketing line for Microsoft.

[Restil]

"You probably won't get any viruses from installing our software!"

-Restil

even better

[Srin+Tuar]

"breakable"

or maybe that doesn't quite say it. Hmmm, what am I trying to get at.

"trivially breakable"

In this case, "broken" is what your looking for.

Not entirely Microsoft's fault

[1000101]

The "third party" that translated the software into Korean had something to do with the problem.

Re:Not entirely Microsoft's fault

[timeOday]

So how do we tell "Genuine Microsoft Quality Products" from "Shoddy Software Created By Third Parties And Put Out By Microsoft"? Is the hologram a different color or something?

Re:Not entirely Microsoft's fault

[Jason+Earl]

That's a load of hooey. Microsoft's customers didn't ask them to use a third party to translate the files, nor did they purchase the product from the third party. If Microsoft can't even handle the elementary security step of scanning the product for viruses before putting it on a CD, how do you even know that the mysterious third party isn't replacing important DLLs with DLLs that are functionally equivalent but have a hidden backdoor.

Clearly Microsoft isn't really checking these files. Which means that when Microsoft says "Trustworthy computing" what they are really saying is that you should trust them, and all of their "third party" allies despite the fact that they have a horrific track record.

Re:Not entirely Microsoft's fault

[chris_mahan]

[This post contains language you might find offensive]

Isn't Microsoft entirely in control of selecting the vendor (the translation/locatization company)?
Would Microsoft be liable if the translator had said: Fuck you and You Eat Dog Now in the manual? Of course.

Another silly analogy. My VW beetle was assembled in Mexico. Do you think VW says: "Oh, sorry, those damn mexicans screwed up?" when I have a problem with my car? No. They say: "We're sorry, and we'll fix it right away at no charge".

They don't even mention the outsanding factory workers south of our border. They just take it like men and deal with it responsibly.

That's why I prefer VW service over Microsoft's.

Only one thing I can say...

[Skweetis]

GET /default.ida?nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnHahahahahahah hahahahah hahhahahhaha heeheeeheeehee aaahahahhhhh

Morons.

Give it a rest

Slashdot is rapidly becoming useless with the constant derision it heaps on Microsoft. Let's have more computer news and stuff about FreeBSD and Linux and less "make fun of" news about Microsoft. As if Linux doesn't have it's problems. You might end up like Larry Ellison and his ridiculous "Unbreakable" claims.

Of course, that's a problem with the Linux crowd. Feer of being, and being seen as, professional.

Re:Give it a rest

[Violet+Null]

Let's have more computer news and stuff about FreeBSD and Linux and less "make fun of" news about Microsoft.

Go here. See the section entitled "Exclude Stories from the Homepage"? Find the box that says "Microsoft" and check it. Scroll all the way to the bottom and click the "Save" button. Walah.

Re:Give it a rest

[namespan]

I don't know where to start.

Slashdot is rapidly becoming useless with the constant derision it heaps on Microsoft. Let's have more computer news and stuff about FreeBSD and Linux and less "make fun of" news about Microsoft.

Slashdot is hardly rapidly becoming useless. There is no lack of abundance of news about FreeBSD, Linux, Apache, Space, OS X, Wireless, and just about any other significant I/T and geeky topic.

And while Linux has its problems, and you may not share the editors views about Microsoft, there are two facts about Microsoft that are hard to ignore:

1) They are huge. Absolutely huge. They have a lot of influence in the I/T and software industry.
2) Sometimes their market presence and control gives them reputation beyond what's deserved.

You may not agree with #2, but consider: .NET barely exists right now. Their ads make it look like people are running serious production solutions on it right now. They claimed months back that Trustworthy Computing was their #1 priority. They just made a major gafe. They've ignored simple security problems for years because it suited them.

I wouldn't claim their technology is useless. It has its high points, a few better than open source alternatives. The problem is that it's all too easy to fall into "They're big, they're #1, so it must be the best" viewing of Microsoft. Most of us who bring up reports like this one do so because we've put up with far too much of that kind of reasoning.

As if Linux doesn't have it's problems. You might end up like Larry Ellison and his ridiculous "Unbreakable" claims.

Of course, that's a problem with the Linux crowd. Feer of being, and being seen as, professional.

Well, that wasn't anything like our petty digs at MS.

Do you mean afraid to make claims like Microsoft's "Trustworthy Computing" initiative and Oracle's "Unbreakable"? I don't see this as a problem in the open source world. OpenBSD is the only distro that comes close to making anything like an unbreakable claim, and it has history to back it up. We speak softly and upload running code. We release timely information about bugs, security holes, and patches. Cover ups are few. That's professional.

Of course, yet again, it's so easy to confuse "big" and "professional".

The Cost of Outsourcing

[Real+World+Stuff]

According to the Article, it appears that "Microsoft's flagship developer tools picked up the digital pest when a third-party company translated the program into Korean...".

Ultimately it was MS's responsibility to verify they did not shit in their own bed, but how many of us look at every line of code in a distibuted or outsourced project.

Just my $.0199999

Re:The Cost of Outsourcing

[coyote-san]

They can be expected to verify the ISO image.

Do you think they approved the disc without verifying all libraries, resources, etc., were present and properly named? (Okay, this *is* Microsoft but work with me here)

If we can expect them to perform that level of checking, why can't we expect them to run a virus checker at the same time?

That's One Degree of Separation! (tm)

[elsegundo]

Leave out the middleman when it comes to distibuting viruses! Give it straight to your customers!

In Other News

[Target+Drone]

Microsoft today announced it's new "Don't ask, Don't tell" security initiative. Microsoft is now requesting that customers no longer ask if there are any security holes in its software. It is also strongly urging all media outlets to stop telling people about any possible security issues.

A spokes person from Microsoft was quoted as saying "This is the best chance we have at cleaning up our image."

Slamming MS

[glh]

OK, someone messed up.. but it isn't as bad as it sounds. First off, it wasn't MS that put the virus in, it was some third party thing they used to convert the language to Korean. However, MS should have at least run virus scan on it before they shipped it. Second, the person running VS.NET would actually have to install IE 5.5 over IE 6 (why would anyone do that) and browse a certain help file in order for it to get infected.

I'm not trying to defend MS. Just pointing out the facts (or at least how they were stated in the article). On one hand it's kind of funny to read through all the quick one-liner jokes about MS (definitely worth a chuckle) but I think MS isn't quite as bad as they're being made out to be.

By the way, anyone know the company that wrote the nimda infected software?

Re:Slamming MS

[_xeno_]

Actually, according to the article at least, Microsoft did scan the files for viruses prior to shipping. However, they apparently have it set up to only scan files that they expect to be there, and therefore missed the added Nimba file. The way I read it, the Nimba file is not really part of the package and can never be accessed in normal usage of the product, and can only be accessed if the user goes looking through the actual help files that come with the system.

Assuming that by "help files" they mean "VS.Net Documentation" then there are quite a few help files covering everything from JScript, VB, C#, C++, to the Windows Platform API, the C# class library, and more - which means it'd be practically impossible to manage to find the one Nimba file amoungst the croud. However, if they just mean tool help, then that content is a lot more limited, but I somehow doubt that is the case.

I have to wonder how much about that "scan only files that should be there" is really spin doctoring, and if they didn't really scan the disk and are instead coming up with an excuse for having missed the presence of the file.

Anyway, the Slashdot writeup is, as usual, way overblown in its anti-Microsoft slant. If they're going to write tirades about McAfee scaremongering, then they probably shouldn't do it themselves.

(And, by the way, Michael is the author of both articles...)

Re:Slamming MS

[MrResistor]

It's actually even more difficult than that. The infected file isn't an actual help file, it's an extra file that's not even supposed to be there, and isn't linked or referenced anywhere in VS.NET. They'd have to install IE 5.5 over IE 6 and browse to the directory the help files are kept in and actively search for and open the infected file.

Really, it's a close to harmless as you can get, considering the astronomical improbability of someone executing the infected file by accident. Of course, one should never underestimate the ingenuity of fools, so I have no doubt that it will happen.

On the whole, I have to give MS credit for the way they are handling this. They are offering free clean replacements to everyone who has an infected copy, they have a patch out, and they are spreading the news so that people are informed and thus able to fix the problem. I'm a little curious about the "patch", but I suppose it's a more reliable solution than just telling people to delete the file.

Yes, I am pointing and laughing at MS right now, I am typically an MS basher after all, but at the end of the day I have to say that I wish they would deal with more of their problems as honorably as they've dealt with this one. It would have been really easy for them to sweep this under the rug and pretend it never existed.

Re:Slamming MS

[SirSlud]

I dont think anyone is going to excuse this just because MS was lucky that the chamber wasn't actually loaded. The trigger went off, and thats all the ammo I need to demand someone revoke the gun license.

As for outsourcing, this is absolutely ludicrous that companies neednt take accountability for the actions of their contractors. Thats how all the clothing manufacturers dodged the anti-sweatshop movement. Now Nike/Espirit/Adidas/Gap/Etc doesn't employ the sweatshop workers, they contract them! Brilliant, and insedious. While it may not be fair to compare that to the IT world, it shows the extreme consequences of allowing companies to divest accountability for services and products offered under their brand. If we dont hold MS accountable in the least, wheres the motivation for them to be more careful with their contractor selection skills? They will continue to select contracts based on politics and economics rather than on the quality of the service/product being outsourced.

I realize that its not *entirely* their fault, but it doesn't help with the kind of facade MS puts on. Just like Oracle's "unbreakable" claim, if you want to make claims that simply are not true or that you cant deliver on (I dont care if its your fault or not, you made the claim), you're never *ever* going to get the benifit of the doubt in this kind of situation. If you wanna make claims you cant back up, you dont deserve the benifit of the doubt. :)

Re:What... the... hell....

[Zordak]

Have you ever been to Korea, you moron? Those people are absolute technophiles. They love all of the newest little electronic gadgets. They're not always the highest quality little gadgets, but everybody has them. Koreans are not aborigonees living in a wasteland. They live in big, crowded cities like most of us, except they're usually bigger (the Seoul/Inchon area alone has something obscene like 14 million people) and they have lots more concrete (if you had ever been to Korea, you would know what I am talking about). You need to leave your momma's basement a little more often.

Maybe a re-brand?

[rfsayre]

Viral Studio .NET??

DOJ Take Note

[Paul+Lamere]

This is just another example of Microsoft trying to bundle everything with windows. Now that they are bundling Nimda, Melissa is going to go right out of business.

Life Imitates Art

[Kozz]

Truly, life indeed imitates art(satire). Microsoft Bundles Worm with IIS .

In the list of new features...

[iabervon]

• No longer vulnerable to this virus

How would you know they'd fixed IE if they didn't distribute a virus that no longer worked?

Re:What... the... hell....

[Ooblek]

You should have realized it was a joke - however lame it was.

By the way, this is just another example of a premature attack by OS zealots. Just as the case of the cross-platform virus discussed previously, the Nimda file is installed as part of the help system, but is never loaded by the help system. As the tounge-in-cheek editorial posted by the illustrious Slashdot editors put it, "Only a complete moron would get infected by this virus." So unless someone in Korea is stupid enough to uninstall IE 6.0 (required for .Net to run), install IE 5.5, and then load the Nimda file, it is unlikely that they will get infected. For every MS goof, there is an equal goof in the OS community. (But we all know people that point that out get modded down....)

Cool! Virus Free!

[Cheap+Imitation]

Leave it to Microsoft to change the meaning of "Virus Free".

Now, instead of meaning it ships with no viruses, it means they include them at no extra charge!

Re:Just another reason to complain

[Jason+Earl]

You are missing the point. The problem isn't really that Microsoft is shipping a virus (although you have to admit that this is pretty darn funny). The problem is that Microsoft is shipping files that they don't know about. This file could have been anything.

Microsoft has set up their business so that their customers have to trust them. There is no way for Microsoft's customers to verify that Microsoft software is safe. Yet time and time again Microsoft has shown that they simply are not particularly trustworthy. It has gotten so bad that it isn't just /. that is laughing at Microsoft. This particular story was published by CNET (which is a very Microsoft-friendly news source).

Perspective

[alacqua]

They're worried about the viral nature of the GPL?

Re:Where's the foot?

[Yuan-Lung]

Like this? =)

This was predicted weeks ago

[drew_kime]

See here for details.

Banner Ad

[krulgar]

When I read this article, the banner ad was for Microsoft Visual Studio .NET.

It's that kind of policy that keeps me reading /.

Inconsistent or sloppy?

[moocat2]

So, Microsoft only scans the files they expect to be part of the install but they ship all the files anyway. While there is no way from the outside to prove or disprove this statement, I think it's odd they aren't consistent in which files they choose to scan and which they choose to ship. A decent process would use a consistent way to manage it.

At a minimum, I find this an example of the sloppy techniques I see all over the industry. Of course, sloppiness is one of the reasons that all these viruses keep finding new ways to infect software so I think it's a pretty big slap in the face for MS's Trustworthy Computing program.

Re:Interestingly enough:

[Random+Feature]

It isn't a problem in the sense that it's going to cause damage, or infect anyone, but it is *damn* funny.

And it is a PR nightmare for MS because a lot of people aren't technical enough to understand what's necessary to become infected. All they hear is "shipped with Nimda" and it's bad news.

They always screw up

[WildBeast]

Most of the time that MS uses a third-party company, that company screws up. My question is, who exactly is in charge of seeking out and contracting with those companies? Fire him big time.

Oh. C'MON!

[rutledjw]

So what? Does your point matter? MS distributed a virus with their code! Whether or not it runs, is this indicative of their source control?

There is no way it can be stated that it's no big deal when this kind of thing happens. Period. The bottom line here is quality. If this kind of thing gets through, what else can get through? What kind of quality controls are really in place?

Whatever controls ARE in place, apparently they aren't effective or aren't being followed...

At last...

[hakkikt]

...M$ includes a really efficient piece of code with their compilers.