John Thompson, CEO of Symantec, just spammed me. Not John personally, and although I seriously doubt the email was authorized (at lease I hope it wasn't) by Symantec, someone left a message in my inbox advertising Norton System Works, Symantec's desktop antivirus product. Sandwiched between the latest Nigerian bank scam and a notice for a Ukranian mail-order bride, the subject line reads: Protect Your PC from the Slammer Worm! Note of caution: don't click on the links in the referenced spam email. Symantec recommends that users do not touch the email links from spam such as this. How can you tell it's spam? Symantec says if it comes to you unsolicited then it probably is counterfeit sofware at best, a credit-card scam at worst.

Slammer targets vulnerable SQL Server 2000 versions that are not up to date with the latest patches. Curious, since last I checked I wasn't running SQL Server on my PC, but maybe it was embedded in one of Microsoft's other applications like Visio or Visual FoxPro. No, nothing there -- Microsoft's web site recommends downloading an agent to detect the Slammer virus. It is extremely unlikely that the average PC would be affected by the Slammer worm. Could this email then be a sleazy ploy by the spammer to capitalize on my fear of infection? Would any security company worth its salt capitalize on the naïveté of the general population to sell security solutions? Why is there so much confusion around what to do about worm outbreaks like Slammer and more importantly, how to prevent future occurrences?

The responsibility lies with three distinct groups, the security solutions providers, the operating system and application vendors, and the public "at large" who are the consumers of information technology. First of all, despite vendor claims to the contrary there was nothing that anyone could do once the worm was released into the "wild". The virus spread too quickly, affecting all 75,000 of the vulnerable hosts within 15 minutes, 90% of those within 10 minutes. With the average time needed to update a large site counted in days, not hours, and certainly not minutes, the idea of patching anything once the outbreak occurred is simply ludicrous. Another far-fetched notion is that next generation intrusion-prevention software could have "prevented" Slammer from spreading infection by detecting anomalous activity and freezing the targeted host. Not that the solutions from Entercept, Okena, and others don't work as advertised; it's just not realistic to expect the "security unaware", i.e., those that have not gotten around to applying SQL Server patch over the last six months, to suddenly embrace a leading edge product. The public relations benefit to the security solution providers when outbreaks like Slammer occur is undeniable, the larger question is how to reach those "security unaware" who are the bigger part of the problem.

Which brings us to the role of the operating system and application server vendors, and Microsoft in particular, in preventing future attacks. By now the pattern is familiar: Microsoft releases code with security vulnerabilities, researchers (hopefully one step ahead of the hackers) identify and publish the vulnerability, Microsoft releases the software update to fix the vulnerability. This was what happened during the last three major outbreaks, Code Red, Nimda, and now Slammer. What also happened, or didn't happen, was that end-users were supposed to download the fix and apply it to the vulnerable software. Some blame Microsoft for releasing the vulnerable software in the first place, others blame it for making the notification and download process too cumbersome. The blame also has to lie with those "security unaware" end users that do not bother to keep their systems up to date? How best to reach them? Should there be a code of Internet usage that says the price of Internet access is keeping a system up-to-date with the latest fixes? With hundreds of thousands of unpatched systems, many with high-speed Internet access still out there, the potential for a post-Slammer worm to do malicious damage or turn these computers into the Internet equivalent of "weapons of mass disruption" is very real.

Education and public awareness will be the best preventative in bringing the "security unaware" into the 21^st century. What used to be a concern of the fortunate few is now an almost universal problem for anyone with a PC and an email account. I just hope that the marketing messages will evolve along side the threats, but the more things change the more they remain the same: fear sells.