Is the Windows Platform Overpowered?

That's all we need, an OS with lots of bugs and no power. Wrong.

I agree that given enough time, we should investigate every piece of software we install and eliminate the bulk that we don't use. But I am sure everyone reading this has less free time the MS's lawyers! Sometimes we have to rely on the sales pitch and brief forays into product reviews to help us choose products that will suit our needs. I won't even mention that ever-present, non-technical manager/dept chair/supervisor who just wants to "keep up with the neighbors" in terms of which OS's they're running or what new-fangled gadget they have on their desks! I think it's reasonable to expect software manufacturers to write products that do what they're supposed to and not open gaping security holes in our networks. Or at the very least, spew fixes and patches at us as fast as they can.

Most good IT geeks want to stay on top of technology and want to understand every detail of the products they use, but sometimes we have other things to do - like recover lost email, install printers, fix someone's bookmarks, make backups, order cd burners... (aargh).

Having just read through the list of comments, I agree to some extent with just about all of them.

Is Windows overpowered? Yes, for most companies, but for a company like GE or a state government the extra functionality is a necessity.

Under-secured? Yes, but Mom & Pop's Networking and ISP company need to keep things as simple as possible.

Staff under-trained? Yes, and I have to admit that I am one of them. We can't all be masters of every facet of our complex networking world. I have trouble enough just keeping up with developments in my little corner of it.

Lazy? Yep,guilty as charged. I've never turned off most of the available options in Windows because I don't have the time to research every little bit of an OS to pull out every unused piece of software. I'm even more concerned that if I pull something out I'll have to go back and plug it back in later on all of the machines on our network, which I REALLY don't have time for.

My take? As much as any one thing is to blame it is under-staffing. I would love to have to time to learn how to write elegant scripts, to read the software manuals, to check the bug reports, and to scan all of our security logs. I don't. Instead I spend most of the day fighting fires, squeezing in little drips and drabs of training and experimentation between user calls and special requests. If Windows Scripting Host didn't cause a problem, something else would because I don't have the time to avoid it.

Is it just me that believes that virus writers, in general, aren't looking to prove they're brilliant programmers or insightful social engineering experts, but instead trying to have their particular virus/worm/trojan make as big a splash as possible.

IOWs, they're interested in the media attention their pet gets, not how hard it was to make it do that.

*If* I'm right, then it means it doesn't matter which platform or products are out there or how powerful they are or aren't, the virus writers will continue to concentrate on whatever the media will write about.

Example: Netscape Navigator can be trusted to properly establish SSL channels with eCommerce sights. Few outlets cover it. Internet Explorer can be spoofed into giving up one domain's cookies to another domain...CNN runs a segment on it including how to download Netscape using IE to "fix" the problem. Doesn't matter that you swap one security vulnerability for another...

Ergo, you wanna have your virus pet's name up in lights, make sure you target MS products. It isn't because their more powerful, or less secure, but because there are more of them and the media will run a story (or 100 stories) on it.

Its extremely naive to believe that if you plugged all of the holes in MS products you'd eliminate viruses/worms/trojans. In covering the DDoS attacks on the various big name sites several months ago, how many times did you hear that the clients who attacked those sites all represented vulnerable and compromised Unix boxes? Very few.

I'm not trying to say we shouldn't secure Outlook, and all MS products...nor am I saying that MS is perfect when it comes to handling how products should be shipped. I am saying that to believe the problem lies solely in the software MS produces is foolish.

How the Love Letter virus "clearly points out that not everyone understands the ramifications of using Microsoft's embedded and integrated technologies." is beyond me. Mellissa was a more capable worm than ILV was. ILV didn't use all of the integrated technologies available to it and relied on user interaction to work (which it didn't need to do).

If there is one thing that ILV demonstrated is that whatever user education occured, whether by the media, corporations, ISPs, etc... *IT WAS NOT ENOUGH*.

Very few people have installed *ANY* of Microsoft's security fixes. Fewer still have installed any of the modifications that were made available after Mellissa (like my page, How Active is Active Content in Email.

If anything will make more of a difference in defeating viruses/worms/trojans, its User Education. Let's continue to press for what we need from *all* software vendors, but let's also try and ensure we spend enough time educating users to have them help themselves in future.

Cheers,
Russ - NTBugtraq Editor

Suggesting that WSH is overpowered is becoming rather popular. Nevertheless, security is set for a user's shell and if the user has administrative or 'whatever' kind of access to their system and network then so will the programs they run. Couldn't someone write an executable to do the same thing as ILOVEYOU? Of course. The 'silent spam' feature of Outlook is definitely problematic. Outlook should, by default, always require confirmation before email is sent. And how about all that money we spent on anti-virus software? Where were those guys? But no, Microsoft's scripting language for Windows is now too powerful. Please.