Monday, July 24, 2006

Who's to blame, Microsoft or Myspace?

Schenier pointed to an article today that describes how a hacked MySpace server infected a million computers with malware.

Now, first off, this doesn't sound like Myspace got hacked. It sounds like they just pipe in remote content like a million other web sites, and some of that remote content was infected with malware. And Windows users who viewed the web pages became infected because of bugs in Windows / Internet Explorer which allow malicious web content access to muck around with your system.

If this is the case, MySpace shouldn't take the brunt of this. Even if MySpace came up with a technological solution that could strip out all Windows exploits that pass through their servers (if such a technology were even possible), it still wouldn't solve the problem for the next web link you click on. It's infeasible to expect the administrator of every single web server to solve this problem. Web authors should be able to pipe in third-party web content from other sources without fear of killing their users' machines.

The appropriate place to lay blame is at Microsoft's feet. Your browser should not allow your computer to become infected no matter WHAT content you're browsing. It should be strictly contained in a sandbox. I understand that this was a patched vulnerability, but the Microsoft approach to security probably played a large role in the vulnerability being there in the first place; if you start with the premise that nothing should affect the system, you're more likely to succeed at protecting the system than if you go adding a bunch of feature-driven exceptions ("but wouldn't it be cool if you could just go to a web page and have the software installed FOR YOU?"). And there's always the question of the actual product quality out of Redmond. They shouldn't release software with millions of known bugs.

This is a failure of Microsoft, not MySpace, and until Microsoft changes their approach to security and the quality of their software, we're going to continue to see problems like this.

No comments: