DE-'BUGGING' COMPUTERS

December 2003
		The Internet has facilitated global communication like never before but also created the need to secure computer networks from viruses and worms. Two security experts on the front line of the battle against these computer "bugs" answer your questions.

Online NewsHour Special Report: Computer Worms and Viruses Forum Introduction I read a lot about vulnerabilities embedded in Web browser code that enable sending data through ports that are normally open and assumed to be safe by most firewalls. Is this a true threat and how serious is it? Have any viruses or worms arrived in .txt or .jpg or PDF files? These are files that by definition have NO executable code and are hence, treated as data and nothing else. Are there NO files that can be safely opened on a PC? I noticed that all of the worms identified on the newshour are w32 ... what responsibility for this security problem should be assigned to Microsoft? Is the ZoneAlarm security program effective against worms? Before switching to a DSL connection, with a (Linksys) wireless router, I always used a (ZoneAlarm) firewall. Now, however, I have been told by many people that there is no need for the firewall as the router serves that function. Is that true, or do I still need a firewall? I have installed a new program for fighting spam - Spam Inspector. It seems to be quite good. My question is that it looks as if the spam is opened (by the spam fighter) to determine if it is spam. Does that opening make me vulnerable to virus attack? Are there free firewalls available on the Web that do the job?	Nora Barnacle of Washington, D.C., asks: I noticed that all of the worms identified on the newshour are w32...what responsibility for this security problem should be assigned to Microsoft? Larry Rogers responds: Nora: In some respects, Microsoft is a victim of its own success. Windows-based computer systems dominate the installed based of computer systems attached to the Internet. When the virus or worm writer's goal is wide-scale disruption, Windows-based viruses and worms are the clear choice. Perhaps market penetration by a LINUX-based computer system will direct virus and worm writers differently in the next few years. Microsoft and all other vendors, by and large, do share a responsibility for the security problems that plague all of us today because of the lack of attention they have paid to program architecture and implementation. These poor practices lead to more opportunities for virus and worm authors. For example, Nimda (http://www.cert.org/advisories/CA-2001-26.html) exploits flaws in common applications found on Windows-based products. These flaws have known solutions that have been known for years and years. The industry as a whole seems to be unable or unwilling to learn from the mistakes of the past and apply the lessons that should have been learned. Microsoft's practices are much more visible to all of us because of their market penetration, but their problems are common to all vendors. Joe Wells responds: Again, Microsoft is the biggest target and so targeted the most. People tend to forget that "user-friendly" and "secure" are hardly synonyms. It is a fact of life that safety is often sacrificed for convenience. Mini-markets are more convenient than supermarkets, but they're also robbed more often. How much responsibility for this should be assigned to 7-11? Microsoft acts as responsibly in security issues as most other companies -- and more responsibly than many.