Vmyths.com

Hoaxes, myths,
urban legends

Columnists


Addictive
Update
Model

False
Authority
Syndrome


About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

5% of experts don't trust antivirus patches

Rob Rosenberger, Vmyths co-founder
Monday, 12 May 2003

As read by the author (MP3) I DROVE STRAIGHT into Hurricane Isadore last year just to attend the Virus Bulletin 2002 conference. Not exactly the smartest thing I've ever done.

An unscien­tific poll at last year's Virus Bulle­tin con­fer­ence showed one out of 20 virus fighters would trust, say, a Micro­soft secu­rity patch before they'd trust an anti­virus firm's secu­rity patch.

Memo to self: bring a canoe on the next trip to ViennaNew Orleans.

Then again, stupidity is a relative factor. Other virus experts faced the threat of wind shear while strapped in a flying gas-powered cylindrical metal tube hurtling 250mph with a thousand feet separating them from the Louisiana bayou.

At least I had enough wits to drive a rental car. If Isadore washed it away, I could just replace it.

I can imagine what Vesselin Bontchev (FRISK) said to the Joe SixPack sitting next to him on the inbound flight. "Oh, you mean this? Bah, a hurricane is nothing! I worry more about a cyber-terrorist who may use a computer joystick to remotely steer this aircraft into the 23rd floor of the Hyatt Regency in order to wipe out the world's collective antivirus brain trust..."

But hey, let's not fret about a minor weather anomaly, shall we? I paid full price to attend the VB2002 conference and you, the readers, deserve full value for my money.

Panel moderator Carey Nachenberg (Symantec) polled the attendees at one point — uh, the attendees who made it to the conference, I should say — to learn who trusts security software updates more than they trust non-security software updates. Perhaps 20% of the audience raised a hand. Nachenberg then took a corollary poll to see who trusts security software updates less. Perhaps 5% of the audience raised a hand (myself included).

Now, a number like 5% may not sound like much on the surface — but let's remember the composition of the VB2002 audience! It means one out of every 20 virus fighters would trust, say, a Microsoft security patch before they'd trust a Symantec security patch.

You do see the irony here, don't you? Symantec is a security firm; Microsoft is not.

To put it another way, Nachenberg's (unscientific) poll showed 5% of virus fighters won't blindly trust computer security firms to put out a reliable security patch for their own security products. This might stun some people: conventional wisdom says virus fighters explicitly trust antivirus firms.

I mean, antivirus firms have a decade of experience at patching the relentless security holes in their own antivirus products. Major vendors like Symantec release a new security patch hundreds of times per year. Hundreds just for one antivirus product!

Microsoft, on the other hand, patched its entire product line only 72 times last year, total. Just six dozen times for their entire product line! Non-security firms clearly lack experience ... yet 5% of attendees at the Virus Bulletin 2002 conference would trust non-security software patches before they'd trust security software patches.

Hmph. Go figure.


CAN YOU NAME any other software that needs hundreds of security patches per year, per product?

Microsoft's "secure by design" slogan takes on a whole new meaning when you com­pare it to the anti­virus industry.

Go on, think about it. I can wait.

. . .

Couldn't think of one, eh? Neither could I. Go figure.

Popular antivirus software fails on a regular basis, you know. It failed when the Melissa virus struck. It failed when the ILoveYou virus struck. It failed days later when the NewLove and KillerRésumé viruses struck. It failed when the ExploreZip virus struck. Popular antivirus software failed yet again when ExploreZip's little sister, the MiniZip virus, struck.

Popular antivirus software failed to stop the Kournikova virus. Then it failed to stop the NakedWife virus. It failed yet again when the Nimda virus struck. Then it failed when the Goner virus almost made goners of us all.

Popular antivirus software fails hundreds of times per year. Every year. It fails so often that your firm almost certainly buys a subscription for antivirus software security patches. A subscription! Your antivirus software fails so often that you need to subscribe to fix it!

If you don't buy a subscription, your antivirus software will fail even more often!

Ironically, Microsoft doesn't charge a dime when they issue the occasional security patch for their entire line of non-security products. Microsoft's "secure by design" slogan takes on a whole new meaning when you compare it to the antivirus industry!

You can patch your antivirus software every single day of the year, you know. You can patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and

Your firm buys anti­virus soft­ware so teams of em­ployees can era­di­cate viruses that slip past your anti­virus soft­ware.
Wow. And you pay for this privilege?
Micro­soft doesn't charge a dime when they issue an occa­sional secu­rity patch for their non-security products.

patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch and patch your antivirus software for a full year ... a whopping 365 times per year ... yet you'll still suffer the ravages of one virus after another.

Wow. And you PAY antivirus firms for this privilege?


FACE IT: YOUR company buys antivirus software so teams of employees can eradicate viruses that slip past your antivirus software. Then, of course, you patch every computer — especially your network servers! — and the whole bizarre process starts all over again. It never ends.

So I ask you: who needs to get their house in order here? A security firm like Symantec, or a non-security firm like Microsoft? It's a simple question, you know. Yet only 5% of the experts at VB2002 knew the answer.

Then again, the smartest attendees stayed home rather than ride out a hurricane in a glass-covered skyscraper. Maybe that's why only 5% raised their hands...