Lessons Not Learned

Computerworld - What have we learned from the current stampede of Windows-infecting worms with names like Zotob, Esbot, Bobax and Spybot (see story)? First lesson: If you want to raise public awareness about a tired old subject like computer worms, just gore the oxes of reporters and editors at CNN, The New York Times, The Associated Press and ABC News. There's nothing like personal pain to freshen up a story. In CNN's case, there's nothing like having it happen on live TV.
Second lesson: Uh, is there a second lesson?
Probably not. After all, we already knew that the most common security hole is a buffer that can overflow if the code filling it doesn't check for input length. That's the programming flaw that these worms exploit -- a flaw that's been around since 1988, when the notorious "Morris worm" brought a much smaller Internet to its knees with a buffer overflow attack.
We already knew that it's a good idea for vendors to release patches as soon as vulnerabilities are made public. To Microsoft's credit, it shipped a patch the day it announced the security hole. (But no points to Microsoft for shipping products with the hole in the first place.)
We already knew that stretched-thin IT staffs have a tough time applying those patches quickly, because it takes time to test and then roll them out to servers and desktop PCs.
We already knew that publishing exploit code that can easily be pasted into worm programs is not helpful. Well, it's helpful to worm writers, but not to the rest of us. Such code was reportedly published on a security Web site the day after Microsoft got its patch out the door. Three days later, the Zotob worm was in the wild, infecting Windows machines.
We already knew that worm writers both share information and compete with one another. It's no great surprise that within hours, Zotob was joined by other worms exploiting the same hole -- and hammering away at Windows users.
So maybe there just isn't a lot to learn from this round of being overrun by worms.
But isn't it time we stopped treating worm outbreaks as learning experiences?
Isn't it time for Microsoft to stop selling operating systems with buffer overflow security holes? That wouldn't require bug-free programming -- just looking for and eradicating one particular kind of bug.
Yes, Microsoft is trumpeting that Vista (nee Longhorn) will be safe from buffer overflows when it ships next year. Then again, that promise was originally based on