Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Portables Security Worms Hardware

Creative Zens Ship with Worms 354

An anonymous reader writes "Engadget reports about 3700 Creative Zen "Neeons" shipped with a virus. The virus in question was the W32.Wullik.B@mm worm. Creative released a statement today to help consumers pinpoint the possibly effected devices."
This discussion has been archived. No new comments can be posted.

Creative Zens Ship with Worms

Comments Filter:
  • Product Liability (Score:5, Interesting)

    by Monte ( 48723 ) on Tuesday August 30, 2005 @05:29AM (#13434298)
    Ouch - that's going to be a black eye. Although it isn't the first case of software shipping with malware, IIRC there was some kid's game on CD that included a Bonus Virus inside.

    Now a comment and a question for the peanut gallery - it's always been a pet peeve of mine that software companies aren't held to any real sort of accountability for shipping product that is clearly flawed. They hide behind the "shrink wrap" license, and (at least IMHO) get away with murder. Imagine if GM or Ford or Daimler-Chrysler put such a waiver of liability on a sticker on the doors of their new cars. The courts would tear them a new one so fast it'd be like lightning.

    The question - what sort of liability does Creative have in this case, and what's fair recompense for shipping a clearly flawed product where said flaw has the possibility of harming the user's computer, data integrity and / or privacy?

    How much is enough? Should Creative be given a hard enough pranging to get the attention of other software manufacturers?

    Personally, I say "Yes". GM spends a hell of a lot of time and energy making sure their brakes work, I'd like to see software companies (and you all know exactly who I've got my sights on here) make sure they ship product that isn't horribly broken right out of the box.
    • by LordSnooty ( 853791 ) on Tuesday August 30, 2005 @05:37AM (#13434327)
      It's a fair point, but I suppose a key difference is that if the car makers released a defective product, people could die because of it. Having to re-install Windows is a pain, sure, but no-one dies.

      Cue posts about hospitals running Windows... ok, in certain circs there is a valid agrument. I don't think you can stretch it to cover the average Joe. A refund might be nice, though.
      • Not true at all. There have been cases in history where hardware could fail because of a certain execution in software. So, what if your Operating System causes a hardware fault.. Say a flaw in windows causes a certain part of the motherboard to over heat and it causes a fire which burns a house down and kills two adults and 3 children. Should they be liable then?

        • how could you prove liability in a court of law that it was windows? The evidence burns in the fire. Unless the 3 children died because you wanted to save the evidence instead of them?
        • by saider ( 177166 )
          Not true at all. There have been cases in history where hardware could fail because of a certain execution in software. So, what if your Operating System causes a hardware fault.. Say a flaw in windows causes a certain part of the motherboard to over heat and it causes a fire which burns a house down and kills two adults and 3 children. Should they be liable then?

          The hardware manufacturer. At no point should safety be driven by software. The hardware should be designed so that any exception cases do not pr
          • If the hardware can burn, shock, or do anything hazardous, it is up to the hardware to mitigate that problem

            Not true at all - software _can_ make modern hardware damage itself:
            - Most modern PCs have software controlled voltage regulators (you can tune them in the BIOS) so a nasty piece of software _could_ max out the voltage on the regulators, leads to the hardware overheating - no idea about the potential fire hazard, most stuff inside PCs is failry non-combustable so I'd guess the chances of a fir
      • by sdpuppy ( 898535 )
        >Cue posts about hospitals running Windows... ok, in certain circs there is a valid agrument. I don't think you can stretch it to cover the average Joe. A refund might be nice, though.

        Perhaps. But a computer virus can infest many many systems.

        A car accident can only propagate so far. Just hope that someday when one of us is in the hospital, a virus doesn't get into their system and scramble our info in the data base or delay a blood transfusion.

      • Having to re-install Windows is a pain, sure, but no-one dies.

        Atleast until XP, Windows died (BSOD) and a re-install would solve the issue. With XP it says something vague like "Dr Watson performed an illegal operation" or even more confusing "Win32 Generic Services failed unexpectedly" ... followed by the helpful "Send Error report to Microsoft?" Whatever for?

        Atleast let the damn OS die in peace so the offending component (IE or kernel32 or whatever) can be de-installed. From XP on it's not possible to do
      • Re:Product Liability (Score:3, Interesting)

        by GauteL ( 29207 )
        People dying are only the most extreme form of defective product which manufacturers are liable for, not the only one.

        You can be sued for compensation if some stupid design flaw in your washing machine causes it to burst and spill water all over your apartment.

        You can be sued for compensation when some daft design flaw causes your vacuum cleaner to explode ruining your carpet and possible causing some minor injury to yourself.

        Likewise, requiring some license that excludes you from any compensation AFTER the
      • I didn't think windows was allowed for life-supporting applications.
      • So... if someone buys a portable MP3 player and takes it work with them, plugs it in (which, yeah, they shouldn't do.. but it happens) and the built-in virus moves onto the hospital network... are you SURE nobody dies?

        You can make the argument that a hospital network should be secure against virii... and I can counter that a gas tank should be secure from sugar.

        I know, sugar isn't designed to be installed in gas tanks... but most portable MP3 players ARE designed to connect to computers, and thus to network
      • by FictionPimp ( 712802 ) on Tuesday August 30, 2005 @07:03AM (#13434698) Homepage
        no your looking at it all wrong. When a car is broke, people die. But when a computer is down people lose money. Which one is worse in the corp eye again?
        • Re:Product Liability (Score:2, Interesting)

          by Rayaru ( 898516 ) *
          Clearly, death is worse. However, when a virus/worm/whatever brings down a business's' whole network by exploiting some unknown flaw in the operating system, that business stops working if they rely on computers for communication, sales, customer service, etc. This can impact not only on the economic well-being of the company in question, but also the livelihoods of each of the employees of the company. Again, it's not death, but it's still something significant that deserves attention.
      • Having to re-install Windows is a pain, sure, but no-one dies.

        We all die a little inside when forced to re-install Windows.

    • Good thing modern viruses aren't like CIH and pals.
      I'd hate to buy new motherboard/gpu just because my pc was infected with some virus that flashed bioses full of garbage.
    • by jkrise ( 535370 )
      Should Creative be given a hard enough pranging to get the attention of other software manufacturers?

      If we treat MS the same way, they'll have a valid reason to NEVER ship LongHorn. After a decade, they still can't get out code that DOESN'T NEED an anti-virus out of the box. Methinks Creative chose a wrong platform for their device.
      • > After a decade, they still can't get out code that DOESN'T NEED
        > an anti-virus out of the box.

        Name anyone who can. Unless you install a really obscure OS, then it's very probable there are lots of viruses for it.
    • Although it isn't the first case of software shipping with malware, IIRC there was some kid's game on CD that included a Bonus Virus inside.

      I don't know if that's the one you mean, but Atelier Marie (Dreamcast) shipped with a bonus screensaver that included a virus [theregister.co.uk].
    • Don't forget the first word macro virus. Not only did MS ship it on their documentation CDs, it had been written by someone within the company. Creative can at least make the argument that it was an external agent causing the problem, not them - like a cat burglar sneaking into the GM factory and cutting the brake cables.
    • Re:Product Liability (Score:2, Informative)

      by cocotoni ( 594328 )
      Although it isn't the first case of software shipping with malware
      The worst had to be MicroSoft sending CDs of Korean version of Visual Studio .NET infected with Nimda worm. As can be seen here [microsoft.com].
    • While I totally agree with the concept I don't think your argument holds up.

      If brakes fail on a car a person dies, while if a OS has a hole privacy is breached, and data is corrupted. This is not quite the same level of damage(although I'm sure there are cases which go both ways.. I'm speaking in general here)

      The problem is if a new Honda Civic was to wait in storage for 2 years it would still be allowed on the road, and would be in better condition than the greater population of the cars out there.
    • Should Creative be given a hard enough pranging to get the attention of other software manufacturers?

      Careful what you wish for; don't forget that RedHat, the Ubuntu people, and the hobbyist tinkering away on his small shareware/freeware projects are all "software manufacturers" too.

      If the likes of Creative and Microsoft should be liable, then why not them? Simply not charging is not enough, cost should not be used as the measure for liability (especially as Creative's software is effectively free with their
    • Re:Product Liability (Score:3, Interesting)

      by sjames ( 1099 )

      Software product liability tends to get much more complicated than for most products. Some of that is due to the complex interactions between different software and user environments, and some of it is simply because users, judges, and juries have no understanding of the issues involved.

      In part this is because everything in a computer can potentially interact. Hanging ba pair of fuzzy dice on your rearview cannot result in a brake failure, but installing a funky screensaver CAN be the reason your spreadsh

    • I once worked for a software developer in the Dallas, TX area who had a mainframe development side, and a PC development side. I worked on the mainframe side of the house, and thus didn't have to concern myself with the PC stuff, which was relatively new at the time. One of the PC developers shipped a software update to one of our customers, a big law firm, who also had a large Novell PC network in their offices. The PC software was infected with a virus, because the PC programmer was habitually visiting BB
  • by coshx ( 687751 ) on Tuesday August 30, 2005 @05:31AM (#13434300)
    but shouldn't it be affected?
    the possibly effected devices means the devices that possibly came into existence because of the worm.
  • iPod and Mac zealots are now going to proclaim that "iPods don't get viruses!" ?
  • by jarich ( 733129 ) on Tuesday August 30, 2005 @05:31AM (#13434303) Homepage Journal
    Microsoft did this a few years back if memory serves.

    When you run Windows, you must run anti-virus ~all~ the time!

    • That's a feature.. not a bug! Windows provides full upward compatibility for all code from DOS onwards, including viruses, worms and ticks... but excluding Lotus, WordPerfect, Netscape....

      Can't think of a single virus that runs only on Win98 but not on XP...
    • by jarich ( 733129 ) on Tuesday August 30, 2005 @05:43AM (#13434354) Homepage Journal
      Flamebait?

      When I see the "quality" of /. comments, especially compared to just a year or ago, I realize it's populated with the younger generation, but things like this confirm it.

      It's not flamebait, you just don't remember it happening. I wasn't referring to Windows itself.

      Here are a few examples:

      http://www.idg.co.nz/cw.nsf/0/CC256D400014E76CCC25 6A3A00806895?OpenDocument&Type=Column&More=Virus/ [idg.co.nz] Microsoft makes the virus news section too, with confirmation that it shipped some hotfixes infected with the rather nasty (but old and well-detected by antivirus software) FunLove virus

      http://news.com.com/2100-1001-935994.html/ [com.com] Microsoft accidentally sent the virulent Nimda worm to South Korean developers when it distributed Korean-language versions of Visual Studio .Net

      It doesn't MS is evil, it means they are human. Any company that ships tons of software will ~eventually~ make a mistake.

      Today it's Creative's turn.

  • by SysKoll ( 48967 ) on Tuesday August 30, 2005 @05:37AM (#13434322)
    This is exactly why having windows machines in a production process is a bad idea. You never know when a worm, virus, trojan or other beast is going to interfere with your fabrication, the files or the hard disk imaging.

    IBM is running its new 90-nm microelectronics fab (in Fishkill, NY) entirely on Linux. So if it's feasible for a plant of that complexity, it should be feasible for a small assembly plant such as Zen Creative's.

    • IBM is running its new 90-nm microelectronics fab (in Fishkill, NY) entirely on Linux. So if it's feasible for a plant of that complexity, it should be feasible for a small assembly plant such as Zen Creative's.

      Feasible, yes, cost effective or prudent... not necessarily. All the IBM example shows is that IBM, a company with a vast wealth of Linux resources, has invested their energies in creating a production process based on Linux for one of their most costly and complex environments. For a simple produc
      • Qu'est-ce-que tu fumes? The cost of developing a Linux solution from scratch is the same as the cost of developing a Windows solution from scratch. The cost of developing a Linux solution decreases with every similarity between an existing Linux solution and the one you are developing, whereas the vendors of Windows solutions will charge you the same for changing one line as for developing from scratch.
    • What happens in a few years time when a Linux based virus spreads and all those "security by obscurity" factories and workshops are compromised?

      Understand that Linux is not a shining light that will be 100% watertight, if market share increases, more eyes will be on it and the potential for a major virus outbreak grows (tbh, I think the entry points will come from an application rather than the kernel but thats just the way it is)

      Any operating system can be made secure by following proper procedure and keep
    • Not just Windows (Score:5, Interesting)

      by RAMMS+EIN ( 578166 ) on Tuesday August 30, 2005 @06:17AM (#13434502) Homepage Journal
      ``This is exactly why having windows machines in a production process is a bad idea.''

      Although Windows has a deserved reputation for being susceptible to viruses and break-ins, this problem is not unique to Windows. Any software written in unsafe languages (like C and C++) is bound to contain exploitable vulnerabilities. Any system that allows the user to run software that they bring to it is susceptible to trojans.

      AFAIK, no current operating system is both usable and provides adequate protection mechanisms against viruses. A fine-grained permission system might help, though. Allow the MP3 player's software access to your music directory, but nothing else. Allow the word processor access to your documents directory, but nothing else.

      I wrote a utility called chrootexec that allows you to run a program in a chroot jail (it cannot access files outside that directory). It's basically the same as the chroot command, except that you don't need to be root to use it (but it does have to be installed suid root to work).

      However, some programs (file managers come to mind) need access to many directories to be useful. These will still be exploitable.
  • homophones (Score:5, Funny)

    by ajs318 ( 655362 ) <sd_resp2.earthshod@co@uk> on Tuesday August 30, 2005 @05:38AM (#13434329)
    Scrawny man in PE kit, about to lift a small weight: "Will this affect me?"

    Muscular man, lifting two larger weight with each hand: "Look at the effect it had on me!"

    From a poster in the Remedial Studies unit at my secondary school.
  • by term8or ( 576787 ) on Tuesday August 30, 2005 @05:39AM (#13434338)
    These people don't even know how to grammer check their press release...

    It was verified that it is the possibility the extermination possible worm type virus of the risk which is called to the player itself of Creative Zen of the digital audio player who it was produced was shipped from shipment preparation and late July this each time in our company Neeon "W32.Wullik.B@mm" having mixed low.

    OK. The actual problem is probably not serious as far as I can tell, since running the virus software is not automatic on installation (which I bet is done by a super user or admin). But really, this is not professional and someone ought to get the sack. And the person who wrote the press release ought to be retrained as a petrol station attendant.
    • If your complaints against the grammar come from the second link in the blurb, it is machine translation from Japanese to English via Babelfish. On the contrary, the original Japanese was written well enough.

      For any Japanophiles in the house, for the translation It regards the problem of the Creative Zen Neeon digital audio player, the original [creative.com] was Creative Zen Neeon Digital Audio Player [dejitaru o-d'io pure-ya-] no mondai ni kan suru, which is better translated as regarding the problem with the Creative Z
  • by AndroidCat ( 229562 ) on Tuesday August 30, 2005 @05:40AM (#13434342) Homepage

    Come to think of it, how does this worm manifest itself on a player device?

    "W32.Wullik.B@mm is a mass-mailing worm that attempts to send itself to all the contacts in the Outlook address book. The worm makes numerous copies of itself in random locations, and moves to a new location when Windows Explorer browses to the folder from which it runs. It can spread to floppy disks and shared network drives under some conditions.
    I doubt it executes on the player itself. Can it infect the PCs that you connect the player to for syncing?
    • As I read it, there's simply an executable on the player, so you'd have to run a random program you found on your player to get infected. Still, I can imagine someone thinking "Hmm, creative have put a program on my player, it must be a useful tool for using it".
  • Just wondering.... (Score:4, Insightful)

    by someone300 ( 891284 ) on Tuesday August 30, 2005 @05:40AM (#13434347)
    Is this virus on the software/driver CD or the actual device itself?

    If it's on the device, how is it running on the zen, since I'd imagine the zen doesn't run windows, and how does it get from the zen to the operating system? (Wouldn't a zen be just like a bulk transfer device or something, and require the user to download and run the virus from it?)
    • It's on the device, which I presume acts as a USB mass storage device. You could run the virus directly off it, just like a virus on a floppy disc or CD or network share (windows treats anything with a drive letter the same), but yes it does require user intervention. It happened because this particular virus copies itself to (more or less) random directories, so someone had (presumably) the master disc image mounted and the virus made a copy of itself there.
  • oopsies (Score:3, Interesting)

    by theheff ( 894014 ) on Tuesday August 30, 2005 @05:41AM (#13434349)
    It'll be interesting to see how both the consumer and the company react to this situation and to see how public this could get. If damage is actually done here from the defect, who would be liable? Oh the joys of transitioning into the digital age...
  • by Anonymous Coward on Tuesday August 30, 2005 @05:50AM (#13434384)
    The author of W32.Wullik.B@mm is suing Creative Zen for copyright infringement under the DMCA.
  • by Anonymous Coward
    Maybe Avon can fix it with the help of Orac.
  • They're so creative! First they invented shipping with styrofoam peanuts and now worms?! What'll they think of next?...
  • I don't know too much about worms, but I'd assume that something like this would have to happen deliberately - ie someone deliberately put an infected executable into the drive image? Or are worms smart enough to infect things inside disk images (or whatever they might be using - how do industrial processes get stuff onto hard disks???)
  • by manavendra ( 688020 ) on Tuesday August 30, 2005 @05:59AM (#13434419) Homepage Journal
    ..for a product vying a piece of personal hdd-based players dominated by iPod, this is bad news.

    Creative may try to position itself as the player with replaceable battery (hence longer life), has few more quirks (such as allowing you to move files across computers, rather than going the iTunes way), however, iPod still remains the benchmark in usability and style (the USP of iPod).

    Till they manage to one-up the market leader with innovative design or something special, such glitches will always render it as also-ran
  • by Joseph_Daniel_Zukige ( 807773 ) on Tuesday August 30, 2005 @06:05AM (#13434447) Homepage Journal

    For those who, like me, prefer reading intelligible Japanese over machine translation, here [creative.com].

    Once upon a time I remembered that %2f was slash and %3f was question mark, etc.

  • Where was their QA? (Score:2, Interesting)

    by flajann ( 658201 )
    I thought QA was supposed to catch this type of thing, I mean really.

    I can't imagine how something like this got into the production image unless there were a lot with their thumbs up their anal orficies that day...

  • by theraccoon ( 592935 ) on Tuesday August 30, 2005 @06:24AM (#13434525) Journal
    The author of the post and the editor who posted it both failed to mention that this only affects models shipped in Japan. The link to the creative page is a babelfish translated website! Plus, the engadget page says that in order to become infected, you'll need to "go running conspicuous applications found on your device".

    Why does this sound like some Mac/iPod anonymous fanatic kicking dust?

  • by RyoShin ( 610051 ) <tukaro AT gmail DOT com> on Tuesday August 30, 2005 @06:54AM (#13434655) Homepage Journal
    After all, they've saved countless users entire minutes by cutting out the middle man and having an already-installed virus. This could potentially teach the unsuspecting public about the harm and danger of viruses with an in-your-face attitude.

    Microsoft should definately start doing this.
  • Why isn't there a recall?
  • What the hell is a Neeon? A common complaint on "front page quality" articles is the lack of basic information. News for Nerds implies some sort of journalism, strive for some sort of journalistic standards.
  • iPod Killer.

    Creative is taking it WAY too far.
  • by TractorBarry ( 788340 ) on Tuesday August 30, 2005 @07:24AM (#13434814) Homepage
    Well this doesn't suprise me as, by the desing of the Zen, Creative have already shown that they don't have a clue.

    For fricks sake the Zen is Windows only and requires propietary drivers to talk to it (yes I know there's a Linux project that does this but Creative themselves don't supoprt anything other than Windows) Guess what Creative, THERE ARE OTHER OPERATING SYSTEMS ON THE PLANET.

    Come on how hard can it be to make a device that supports direct access to its filesystem in the manner of a USB pen drive coupled with the ability of the device to play any media files found within its file system ? Maybe the designers could also be really clever (tm) and hold your playlists etc. in a small database held within the filesystem ? (wowee they could even use XML text files)

    So why the hell is it that these wretched portable hard disk players all seem to feature yet another propietary file system ? Sorry that's just awful, awful, shitty design. Once again manufacturers choose to reinvent the wheel poorly instead of reusing existing, proven technologies to good effect.

    Sheesh. Creative Zens suck enough already but now they come with bundled viruses.

    Creative are clueless. Utterly clueless.
  • Serious, it adds to the experience, it lets the user know the device inside out, it sharpens the learning curve. Our users love this feature! Our sales will increase, we will beat the not so flexible multimedia devices out there with this feature.

    Signed: Zen marketing representative
  • LOL!!! (Score:2, Funny)

    by http101 ( 522275 )
    Finally, Creative products ship with software that actually works!
  • by bullitB ( 447519 ) on Tuesday August 30, 2005 @08:11AM (#13435087)
    Come on, Creative, where was marketing on this?

    "Yeah, our players have virii, but they're removable...like our batteries!"

    "Sure you'll get your computer hopelessly infected with a virus, but as you're reinstalling Windows, you'll be able to listen to FM radio!"

    "Don't worry, our Stik-On [creative.com] MP3 player stickers are totally virus-proof."

The earth is like a tiny grain of sand, only much, much heavier.

Working...