Olympus Digital Camera Ships With a Worm

An anonymous reader writes "Olympus Japan has issued a warning to customers who have bought its Stylus Tough 6010 digital compact camera that it comes with an unexpected extra — a virus on its internal memory card. The Autorun worm cannot infect the camera itself, but if it is plugged into a Windows computer's USB port, it can copy itself onto the PC, then subsequently infect any attached USB device. Olympus says it 'humbly apologizes' for the incident, which is believed to have affected some 1,700 units. The company said it will make every effort to improve its quality control procedures in future. Security company Sophos says that more companies need to wake up to the need for better quality control to ensure that they don't ship virus-infected gadgets. At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer."

Re:Dodged a bullet.

[sethstorm]

The despotic People's Republic of China - where the worst of company town practices are in an entire country(if not region).

So..

[Renraku]

What kind of compensation are the makers going to offer everyone who's system they hosed?

Seriously?

[Anonymous Coward]

At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer."

Seriously?

It's getting to the point where running a computer is turning into a full time job. I need to scan every single product I buy before using it? Isn't that why I bother to pay a premium to get name-brand products from legitimate outlets?

I'm annoyed that the ultimate time-saving device is becoming more and more of a chore. I'm expected to spend hours researching the ways in which to harden my browser against cookie tracking, to rate virus scanners using contradictory and confusing standards, to assess information that requires a degree in computer science everytime I want to get a PC game to work, to pull out my law degree everytime I use an online product or dive through an EULA, and now this?

I mean come on, where's it going to end? Should I do independant surge tests on the next microwave I buy before plugging it in? What about my printer, does it need a scan too? Should I take my newly purchased tires to an independant assessor? How about that new CD I bought?
 

Re:Dodged a bullet.

[Anonymous Coward]

Didn't see it mentioned in the few dozen comments at the moment, but "more companies need to wake up to the need for better quality control to ensure that they don't ship virus-infected gadgets. At the same time, consumers should learn to always ensure Autorun is disabled" blames the manufacturer of the drive, blames the consumer, but skirts around blaming the OS in question.

I know it's somewhat passe to pick on an OS because it remains the one commonality in malware infections, but seriously, a design as defective as Autorun's implementation should be beaten with large sticks every chance we can get until it's a bloody pulp, or no more than a stain. Srsly.

Re:With offshoring as it is...

[newcastlejon]

How do we know the image for the card wasn't put together in Japan? The camera says Made in China, the software perhaps not.

Autorun?!

[dido]

I wonder what bright soul at Microsoft thought it a good idea to extend autorun to all types of removable media. It was tolerable if annoying for CDs and DVDs, but it became downright dangerous once USB sticks and similar rewritable media were included. I wonder why they haven't decided to push an update that disables or limits the damage that this misbegotten feature can do.

Re:Seriously?

[Saeed al-Sahaf]

Should I do independant surge tests on the next microwave I buy before plugging it in?

Does your microwave connect to your network?

Criminal penalties are necessary

[grahamsaa]

Civil and criminal penalties should be imposed on manufacturers that ship hardware that's pre-loaded with malware. As of right now, there are no consequences, which means that this will continue to happen. The only remedy that will stop, or at least curb this behavior is serious civil or criminal charges.

Companies may blame this on outsourcing, but they have chosen to outsource. They may blame it on poor quality control, but quality control is their responsibility! There is no excuse for this, and the executives that make decisions that lead to this type of security hole must be held accountable. I wish I could say that I was surprised by this news, but I'm not. It's commonplace. And until hardware and software companies are held accountable, this will continue to happen.

Re:Intentional or accidental?

[AHuxley]

Between intentional and accidental is "a Google".
If you are exposed just quote "“As we said before, this was a mistake,” Google spokeswoman Christine Chen"
http://www.wired.com/threatlevel/2010/06/google-wifi-debacle/#ixzz0qJdk9Bjv [wired.com]
Wait, stonewall, wait a bit more and the press moves on :)

Re:Dodged a bullet.

[denmarkw00t]

Someone mod this man up! I totally agree that blaming the OS is a bit passe, but Autorun is also the worst "feature" I've ever encountered - "Oh, you plugged something in that has a filesystem I understand? And an executable it wants me to run? Ok."

Dumb.

A system has to load the image over usb!

[Joe The Dragon]

A system has to load the image over usb! so maybe that system has a worm on it.

As usual the real problem is unnecessary crap

[rudy_wayne]

but if it is plugged into a Windows computer's USB port, it can copy itself onto the PC, then subsequently infect any attached USB device.

Why isn't the memory card formatted and completely blank?

consumers should learn to always ensure Autorun is disabled,

No, companies should stop selling memory cards with unnecessary crap installed.

Re:Autorun?!

[rudy_wayne]

At the single biggest security problem at the place were I work. We tried disabling it, but we had too many problems of people putting in flash drives or cd and the stupid flash based window not popping up like it did "on their home computer" and that "their computer was broken."

So your employees are too stupid/lazy to learn how to use a computer. Either train them or fire them.

Re:Seriously?

[Anonymous Coward]

No, but it does connect to my electrics. Should I have to worry that every new gadget in my place is going to cause a fire? No, because we as a society decided that was not the way we wanted to live our lives and we adjusted the legal landscape accordingly.

Re:Dodged a bullet.

[schon]

blames the manufacturer of the drive, blames the consumer, but skirts around blaming the OS in question.

Well duh - consider the source.. it's an antivirus company. They wouldn't be in business if not for Windows.

An antivirus company saying that Windows in insecure would be like BP saying that we should all switch to solar power and stop using oil.

Re:Autorun?!

[TheGratefulNet]

he's probably also talking about the *executives*. they tend to be the dumbest in terms of actual computer use.

fire them? yeah, go ahead and try.

Re:Dodged a bullet.

[grcumb]

Someone mod this man up! I totally agree that blaming the OS is a bit passe, but Autorun is also the worst "feature" I've ever encountered - "Oh, you plugged something in that has a filesystem I understand? And an executable it wants me to run? Ok."

Who's blaming the OS? We're blaming the company that made the OS. The same company, by the way, that brought us ActiveX in Internet Explorer, executable attachments in Outlook, Word Document viruses, IIS prior to 7, and 'run as Administrator by default'.

Dumb.

Dumb, indeed.

(I'm not even going to get into the myriad other objectionable actions and statements that they've indulged in since the beginning of the '90s. They're not germane to this discussion.)

Re:Autorun?!

[robthebloke]

The OP didn't say anything about employees - he said workplace. Every worked in a university? It's far easier to ghost the machines at the end of every day or session than deal with hundreds of queries a day from the vast majority of the 20,000 students who struggle to understand the basic concepts of computer security.

Re:Dodged a bullet.

[Anonymous Coward]

The Autorun worm cannot infect the camera itself, but if it is plugged into a Windows computer's USB port, it can copy itself onto the PC, then subsequently infect any attached USB device.

Remember folks, that's Microsoft Windows (R)(TM). Too bad it has no effective enabled-by-default security system to prevent this sort of thing. Like I dunno, limited user accounts and non-executable mounts?

Re:Dodged a bullet.

[causality]

No, it's the user. Autorun was meant to be usability easiness and laziness.

The decision to accommodate laziness by default and to then advertise it as "easy to use!" for non-technical people was not the users' decision.

Re:Dodged a bullet.

[Mr. Freeman]

I turned autorun off on every computer I've ever had without much issue. That's windows 98, 2000, XP, vista, server '08, and win 7. All of them made it easy enough to turn it off. I'm not sure what the hell you're talking about.

The larger problem

[istartedi]

Everybody harping on autorun. The larger problem is insecure defaults. Autorun hasn't been nearly as bad as "Hide file extensions". For people like myself, it lead to filenames like foo.txt.txt before I realized that stupidity was turned on. For people who weren't paranoid enough, it was the legendary HotChick.jpeg.exe kind of stuff.

But I digress. The real problem is poor default choices. Again and again. MS needs to realize that you can't pander too much to the very stupidest users who haven't used their product EVER. Double-clicking a CD icon, file extensions, and the permission dialog for Active X controls should be taught on day one.

In other words, MS needs to back off just a bit from the cult of useability, and educate the users ever so slightly. I mean, this is one time when their incredible market share would be helpful. It's not like all Windows users are just going to get up and leave. In the long run, it'll help them stay too.

Give up on the "cup holder" people (CHPs). They will either move beyond that stage, or they won't; but you can't, Can't CAN'T design an OS that can be used by CHPs without also making it useful for script kiddies... unless maybe you go to an AppStore model, and that's got other issues.

Re:Dodged a bullet.

[Bert64]

That's the biggest problem, MS is able to release inferior products and then drive user's expectations down to match. When you tell people that they wouldn't have these problems using something else they don't believe you because it sounds "too good to be true".

Re:Seriously?

[indiechild]

Good points. This is why "appliance computing" ala iPad and the like will become increasingly popular over the next few years. Slashdot geeks will decry it as dumbed down computing for the unwashed masses, but in reality, it's computing made usable.

Re:Dodged a bullet.

[mcgrew]

For non-experienced users, hiding the extension is sensible, and makes Windows a bit more like those other OSs.

No it wouldn't; see the other comment responding to yours. It isn't anything at all like other OSes.

It was always a problem that an inexperienced user would inadvertently change the file type, merely by renaming the filename.

That's another problem other OSes lack, and I used to run across it all the time from co-workers who would do just that. Fortnately, explaining it to them was easy. The Windows kludge shouldn't have been there in the first place.

So you'd say that all those non-Windows OSs are also insecure, because you could have a file "picture", that actually was an executable virus when you doubleclicked

Other OSes don't do that; as the other poster pointed out, you have to manually make the file executable. I imagine that's why many Windows stories here are tagged "defectivebydesign".