Microsoft scrambles to quash 'friendly' worm story
- 20 February, 2008 08:24
Microsoft is moving to counter some scathing comments regarding a security paper authored by researchers at its Cambridge, England, facility.
The paper, "Sampling Strategies for Epidemic-Style Information Dissemination," looks at how worms sometimes inefficiently spread their code.
The research explores how a more efficient method could, for example, be used for distributing patches or other software. The advantage would be that patches could be distributed from PC to PC, rather than from a central server.
That method would reduce the load on a server, and patches would be distributed faster. But the patches would have the same qualities as a computer worm, a generally malicious file.
Since a story about the paper appeared on Thursday in the New Scientist magazine, the paper has been roundly assailed.
"This is a stupid idea," wrote Bruce Schneier, a security expert, author and CTO of enterprise security vendor BT Counterpane, on Tuesday, before quoting a passage from the New Scientist story on his blog.
Schneier wrote that the idea of so-called "benevolent worms" comes up every few years.
However, a worm is designed to run without the consent of a user, which doesn't make it a good method of software distribution, Schneier wrote. The worm patching technique could also make the patches hard to uninstall or interrupt during installation, he wrote.
Worms designed to distribute software patches could also be hacked to distribute malicious software, wrote Randy Abrams, director of education for security vendor Eset, in his regular e-mail commentary.
Forced patching is also troublesome since some patches may not be compatible with critical software, Abrams wrote.
"Breaking into computers is a bad idea," Abrams said.
A Microsoft spokesman said on Monday that the New Scientist story is not inaccurate. However, the writer of the story "sexed" up the research paper a bit, particularly with the headline that used the phrase "friendly worms," the spokesman said.
In response to the criticism, Microsoft said it doesn't intend to develop patch worms.
"This was not the primary scenario targeted for this research," according to a statement.
The company also said it will continue to let customers decide how and when they apply security updates.
One of the paper's authors, Milan Vojnovic, said in a statement that there were no plans to incorporate the ideas into Microsoft's products. Efforts to reach Vojnovic for comment were unsuccessful.