2010-10-01

Stuxnet, Microsoft, and the Media

There have been a slew of articles about a new piece of malware called Stuxnet which has infected tens of thousands of computers in Iran without the computers' users' knowledge. There's an article by Ellen Nakashima in the Washington Post about how Stuxnet could be used against the US, considering the target of the original attack was probably one of the nuclear power plants in Iran. I wondered what sort of havoc it could wreak on our country's computers. Then I clicked on page 2, and my suspicions — not about Stuxnet's fearsome capabilities, but about its modus operandi and how the mainstream media would report it — were confirmed.
Of course, reading the article again, I should have been suspicious on page 1 itself, considering that "[t]he antivirus security firm Symantec analyzed the worm this summer." Does anyone seriously expect Symantec to be a disinterested party in this? It's a question of computer security, so of course they're going to inflate numbers a little (though whether they've actually done so this time or not is another question) to scare the public into buying their products.
But the second page holds the real "goodies" of this article. Let's go through the major ones.
But "not even two days later," he said, a hacker Web site posted the code so that others could use it to exploit the vulnerabilities in Microsoft.
I should have figured as much. It only affects Microsoft software. Why must the mainstream media equate Microsoft software with all software, considering that in higher levels of the government (e.g. the Department of Defense) Linux is in widespread use for its security benefits? For goodness sake, the military uses RHEL/CentOS!
* It exploited four Microsoft "zero-day" vulnerabilities, allowing Stuxnet to spread automatically without computers users' knowledge.
* One vulnerability allowed the worm to spread via the use of a thumb drive or other removable device. That flaw and one other have since been patched.
* It is autonomous - it requires no hidden hand at the control stick to direct its moves. [...]
* Once it found its target, it was designed to inject code into the controller to change a process. What that process is, is not yet known.
All of these have to do with the fact that Microsoft Windows automatically elevates users to administrator privileges and grants executables administrative privileges as well, so of course this virus will spread without the user's knowledge, spread via removable media, spread autonomously, and inject code autonomously. With Linux, the concept of user privileges (as well as the way Linux handles executables, which is very different from Microsoft Windows) means that this sort of thing would require a lot more effort to execute. And don't counter with Apple's Mac OS X; a recent Secunia report has showed that Apple software has experienced more security vulnerabilities this year than Microsoft software.
So please, Washington Post: don't conflate Microsoft software with all software, and please do some more of the investigative reporting that made you famous in the 1970s with regard to a certain president; is that too much to ask, in this day and age?