Olympus Digital Camera Ships With a Worm 249
An anonymous reader writes "Olympus Japan has issued a warning to customers who have bought its Stylus Tough 6010 digital compact camera that it comes with an unexpected extra — a virus on its internal memory card. The Autorun worm cannot infect the camera itself, but if it is plugged into a Windows computer's USB port, it can copy itself onto the PC, then subsequently infect any attached USB device. Olympus says it 'humbly apologizes' for the incident, which is believed to have affected some 1,700 units. The company said it will make every effort to improve its quality control procedures in future. Security company Sophos says that more companies need to wake up to the need for better quality control to ensure that they don't ship virus-infected gadgets. At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer."
Dodged a bullet. (Score:4, Funny)
Whew, glad my Canon doesn't mount itself as a external disk. Think of all the grief I've saved myself by having to launch something to get photos off of it.
[/sarcasm]
So, where did these cameras originate? China, Japan, Taiwan?
Re: (Score:3, Insightful)
The despotic People's Republic of China - where the worst of company town practices are in an entire country(if not region).
Re: (Score:2, Insightful)
Remember folks, that's Microsoft Windows (R)(TM). Too bad it has no effective enabled-by-default security system to prevent this sort of thing. Like I dunno, limited user accounts and non-executable mounts?
Re: (Score:2)
Like I dunno, limited user accounts
Limited user accounts have little to do with this unless they are VERY limited (far more limited than any linux system i'm aware of does by default).
and non-executable mounts?
You don't need to go that far, just not running stuff without being explicitly told to would be sufficiant to block most of this sort of crap.
Re: (Score:2)
You don't need to go that far, just not running stuff without being explicitly told to would be sufficiant to block most of this sort of crap.
They already tried that with UAC. Users just defaulted to auto-clicking yes every time because they ended up getting a request every time they tried to do pretty much anything.
Re:Dodged a bullet. (Score:5, Insightful)
Didn't see it mentioned in the few dozen comments at the moment, but "more companies need to wake up to the need for better quality control to ensure that they don't ship virus-infected gadgets. At the same time, consumers should learn to always ensure Autorun is disabled" blames the manufacturer of the drive, blames the consumer, but skirts around blaming the OS in question.
I know it's somewhat passe to pick on an OS because it remains the one commonality in malware infections, but seriously, a design as defective as Autorun's implementation should be beaten with large sticks every chance we can get until it's a bloody pulp, or no more than a stain. Srsly.
Re:Dodged a bullet. (Score:5, Insightful)
Someone mod this man up! I totally agree that blaming the OS is a bit passe, but Autorun is also the worst "feature" I've ever encountered - "Oh, you plugged something in that has a filesystem I understand? And an executable it wants me to run? Ok."
Dumb.
Re:Dodged a bullet. (Score:5, Insightful)
Someone mod this man up! I totally agree that blaming the OS is a bit passe, but Autorun is also the worst "feature" I've ever encountered - "Oh, you plugged something in that has a filesystem I understand? And an executable it wants me to run? Ok."
Who's blaming the OS? We're blaming the company that made the OS. The same company, by the way, that brought us ActiveX in Internet Explorer, executable attachments in Outlook, Word Document viruses, IIS prior to 7, and 'run as Administrator by default'.
Dumb, indeed.
(I'm not even going to get into the myriad other objectionable actions and statements that they've indulged in since the beginning of the '90s. They're not germane to this discussion.)
Re: (Score:2)
I'd imagine it's the same people who blame crime on things like guns and drugs and video games, as though they were something other than inanimate objects and ideas.
You could "blame" the OS in the sense of recognizing that its design or implementation are definitely involved in the cause-and-effect sequence of this infection. Still, I think the blame you're talking about belongs to the moral/ethical realm of accountability. As long as you have large masses of people who will pay m
Re:Dodged a bullet. (Score:4, Insightful)
That's the biggest problem, MS is able to release inferior products and then drive user's expectations down to match. When you tell people that they wouldn't have these problems using something else they don't believe you because it sounds "too good to be true".
Re: (Score:2, Insightful)
No, it's the user. Autorun was meant to be usability easiness and laziness.
The decision to accommodate laziness by default and to then advertise it as "easy to use!" for non-technical people was not the users' decision.
Re: (Score:2)
However - Autorun is still the most stupid feature implemented as it is since it will allow for propagation of malicious software without the user realizing it.
Users makes mistakes, but when you as a user has purchased a brand new media you don't expect it to come pre-contaminated in a way that causes you trouble.
And Microsoft hasn't released a good patch that kills Autorun for XP and 2000 for good, which they should have done a long time ago.
Also be aware that if you disable Autorun for CD:s it is still ac
Re:Dodged a bullet. (Score:5, Insightful)
Re: (Score:2)
Windows 7 has autorun off by default.
It shows a popup when a media is detected with some actions depending on the situation (burn cd, play video, etc.) but nothing gets executed automatically.
Re:Dodged a bullet. (Score:5, Informative)
To turn USB autorun off on Windows XP you have to edit the registry. The GUI options do not apply to USB drives for some retarded reason.
I was alerted to this when I bought a USB drive that came with autorunning software (to do encryption and other rubbish) and was surprised that it ran despite me turning autorun off as a part of standard configuration since the late 90's.
Re: (Score:2)
IIRC the problem is the GUI options are per-drive.
This made some sense in the days when the feature was introduced when drives were generally things that didn't get added or removed very often but is something of a problem with USB sticks where the drive and the media are one device that is hot-plugged.
Remember USB sticks are a fairly new phenomenon. Yes they existed when XP was released but they were far from common.
with windows XP they did actually improve things for removable media drives (what most USB
Re: (Score:2)
edit: I was wrong, it seems 2K and before had the autorun system completely disabled for removable media drives while XP enabled it for them to allow for the autoplay dialog.
Re:Dodged a bullet. (Score:5, Informative)
edit: further for completely turning off autorun to be effective you must make sure you have a particular security update installed.
http://support.microsoft.com/kb/967715 [microsoft.com]
the whole thing is a gigantic mess!
Re: (Score:2)
No MS update ever installed itself via Autorun. What are you smoking? Do you even understand what the feature does?
It's sole purpose is so that a user can buy, say, Quicken CD in Best Buy, put it into the drive, and see the window that says "Click here to install".
Re: (Score:3, Insightful)
For non-experienced users, hiding the extension is sensible, and makes Windows a bit more like those other OSs.
No it wouldn't; see the other comment responding to yours. It isn't anything at all like other OSes.
It was always a problem that an inexperienced user would inadvertently change the file type, merely by renaming the filename.
That's another problem other OSes lack, and I used to run across it all the time from co-workers who would do just that. Fortnately, explaining it to them was easy. The Windows
Re: (Score:3, Insightful)
blames the manufacturer of the drive, blames the consumer, but skirts around blaming the OS in question.
Well duh - consider the source.. it's an antivirus company. They wouldn't be in business if not for Windows.
An antivirus company saying that Windows in insecure would be like BP saying that we should all switch to solar power and stop using oil.
no worries (Score:2)
The antivirus companies will have a market at least as long as users have root privileges on the machines they buy at the store. It doesn't matter if they ship loaded with linux and SElinux *correctly* configured. People will do stupid stuff and the home user doesn't normally having anything worth wasting a first use exploit on, so the virus scanner will continue to be a moderately useful and necessary tool for any computing equipment with significant marketshare. And actually the iPhone is an example sh
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Here's a news item...stop using windows!!
Re: (Score:2)
With offshoring as it is... (Score:4, Funny)
Third World factories seem to keep on making these mistakes.
You think they'd try making these in Japan, with full Japanese citizens making them for once?
Re:With offshoring as it is... (Score:4, Interesting)
Re:With offshoring as it is... (Score:4, Insightful)
A system has to load the image over usb! (Score:4, Insightful)
A system has to load the image over usb! so maybe that system has a worm on it.
No it is cheapness (Score:2)
It has nothing to do with where it is made. It is just, Olympus who isn't a no name company doesn't buy 3 of best antiviruses and setup a system where every single byte which goes out of company (digitally or physically) is checked. "All files regardless of content and header" in Kaspersky fashion.
As a Video guy, once I had to ship a CD with Video players (back in days when you need to install a mpeg player) and I clearly remember buying 3 antiviruses from leading companies of that time (didn't change a lot
Well, it depends....... (Score:2)
Do you like subbed, or dubbed?
Intentional or accidental? (Score:5, Interesting)
I hate to ask the obvious question, but the article doesn't address it -- could this be intentional, or is it accidental?
I would imagine that some shady overboss would be willing to pay a relatively sizable amount of money (especially considering that the amount of money you'd have to pay someone in a Chinese factory to do this would not be very high) for the opportunity to infect potentially tens of thousands of computers.
Re: (Score:3, Interesting)
Without more information as to what exactly the worm does, I can only speculate, but I'd bet that it's a trojan downloader or something else that brings in more malware, and that it was planted on some of those cards by a blackhatass who happens to work in their factory. The fact that it's only on a small portion of the cameras seems to indicate one individual somewhere on the production line.
In any case it's not likely much of a threat if the users who get those cameras have decent AV soft
Re: (Score:3, Insightful)
If you are exposed just quote "“As we said before, this was a mistake,” Google spokeswoman Christine Chen"
http://www.wired.com/threatlevel/2010/06/google-wifi-debacle/#ixzz0qJdk9Bjv [wired.com]
Wait, stonewall, wait a bit more and the press moves on
So.. (Score:5, Insightful)
What kind of compensation are the makers going to offer everyone who's system they hosed?
Seriously? (Score:5, Insightful)
Seriously?
It's getting to the point where running a computer is turning into a full time job. I need to scan every single product I buy before using it? Isn't that why I bother to pay a premium to get name-brand products from legitimate outlets?
I'm annoyed that the ultimate time-saving device is becoming more and more of a chore. I'm expected to spend hours researching the ways in which to harden my browser against cookie tracking, to rate virus scanners using contradictory and confusing standards, to assess information that requires a degree in computer science everytime I want to get a PC game to work, to pull out my law degree everytime I use an online product or dive through an EULA, and now this?
I mean come on, where's it going to end? Should I do independant surge tests on the next microwave I buy before plugging it in? What about my printer, does it need a scan too? Should I take my newly purchased tires to an independant assessor? How about that new CD I bought?
Re:Seriously? (Score:4, Insightful)
Should I do independant surge tests on the next microwave I buy before plugging it in?
Does your microwave connect to your network?
Re:Seriously? (Score:5, Insightful)
No, but it does connect to my electrics. Should I have to worry that every new gadget in my place is going to cause a fire? No, because we as a society decided that was not the way we wanted to live our lives and we adjusted the legal landscape accordingly.
Re: (Score:2)
Re: (Score:2)
Which is funny because not a lot of people realize that one of the bands used by 802.11, 2.4 GHz, is the same frequency your magnetron uses to quickly excite watery bags of meat.
Which is funny, because not a lot of magnetrons realize that 2.4 GHz, is the same frequency some people use with 802.11 to connect to the Internet and excite bloody bags of meat.
Re: (Score:2)
Re: (Score:2)
Doesn't yours? Jeez, you're so last century.
Re: (Score:2)
Re:Seriously? (Score:5, Insightful)
Good points. This is why "appliance computing" ala iPad and the like will become increasingly popular over the next few years. Slashdot geeks will decry it as dumbed down computing for the unwashed masses, but in reality, it's computing made usable.
I have a standard policy (Score:2, Interesting)
Re:I have a standard policy (Score:4, Informative)
Unnecessary unless you use an ancient decade-plus-old Windows version. Vista and 7 stop this attack automatically by displaying the Autoplay dialog when a new device is inserted.
In fact, Windows 7 removes the ability entirely to manually execute Autorun from a flash drive.
Re: (Score:2)
Re: (Score:2)
That's an excellent policy (except for blank CDs and DVDs, of course *g* - wouldn't THAT be a helluva nice vector for infecting machines, if it can be done...)
I would like to point out that it should apply SPECIFICALLY to external hard drives one buys, especially used ones. I've had three customers in the last four months who bought used(2) and new(1) external hard drives off of Ebay and got infected with malware hidden either in the autorun or in the included software that comes with the
Re: (Score:2)
Not necessarily for tech support, however ;-(
"I put the new software disk in my drive and nothing happened. Now what do I do?" - phone calls at four AM...
Microsoft thought they had the answer with UAC - click, click...
SB
Re: (Score:2)
You must not have many repeat customers ;-)
SB
Autorun?! (Score:5, Insightful)
I wonder what bright soul at Microsoft thought it a good idea to extend autorun to all types of removable media. It was tolerable if annoying for CDs and DVDs, but it became downright dangerous once USB sticks and similar rewritable media were included. I wonder why they haven't decided to push an update that disables or limits the damage that this misbegotten feature can do.
Re:Autorun?! (Score:4, Interesting)
Re:Autorun?! (Score:5, Insightful)
So your employees are too stupid/lazy to learn how to use a computer. Either train them or fire them.
Re:Autorun?! (Score:5, Insightful)
Re: (Score:2)
Your laziness in helping your users to utilise IT resources effectively and safely creates the problems actual IT people with workloads beyond reghosting terminals have to fix every single day. Your lack of input when they experience an issue instils their resentment of the IT workforce early on, before they move into Management jobs where they continue to abuse the IT technical people the same way they were abused and ignored when
Blame the victim (Score:2)
So your employees are too stupid/lazy to learn how to use a computer. Either train them or fire them.
So your brilliant solution is to fire people you spent training how to do an actual job, and replace them with people who need more training and still will not know how to use a flash drive "correctly".
All because Windows can't keep its virtual pants on at the sight of a new device.
Re: (Score:2)
Re: (Score:2)
His employees are hopefully too busy doing some actual fucking work to worry about how their computers work.
Re: (Score:2)
I seem to remember that you could turn off the autorun but keep the automount. It has been awhile since I had to admin a Windows box though so I could be wrong.
Re: (Score:2)
You can disable autorun without disabling autoplay, which is what asks the user what to do. And you can adjust the contents of the autoplay window so that the option to run programs on the disk isn't there.
Re: (Score:2)
Unfortunately, this presents an issue for the learning of important IT knowledge by the "lay person." It's generally easier to wait for something to break or "break" than to educate because IT staff are underpaid, not typically sociable (no offense, just a fact I've encountered), and the lay people are often unwilling to change or to really commit to learning. Until you can show them how to disable it, work without it and live in the workplace so that they can go home and do it themselves, no progress can b
Re: (Score:2)
I wonder what bright soul at Microsoft thought it a good idea to extend autorun to all types of removable media.
Actually that originated with Apple, back with the Macintosh (or maybe even earlier).
Idea was to automatically load drivers for new devices from the device, system upgrades from the medium containing the software, etc. for that "plug it in and it just works" experience.
Of course it wasn't long after the Mac got into users' hands and development tools were available that some bright kid decided to
Re: (Score:2)
Criminal penalties are necessary (Score:5, Insightful)
Companies may blame this on outsourcing, but they have chosen to outsource. They may blame it on poor quality control, but quality control is their responsibility! There is no excuse for this, and the executives that make decisions that lead to this type of security hole must be held accountable. I wish I could say that I was surprised by this news, but I'm not. It's commonplace. And until hardware and software companies are held accountable, this will continue to happen.
Autorun became the absolute comedy (Score:3, Interesting)
Recently I helped a friend who had 1TB disk formatted in FAT32 to convert it to HFS+ Journaled. As I image the disk, I notice some really strange things, like .exe files in Pictures folder, the _hard disk_ itself having autorun.exe. It is not some Taiwanese invention either, it is the Western Digital.I believe it is one of the most expensive ones.
It turns out, WD _idiots_ had this great idea of installing their USB drivers named something TURBO (no kidding!) who are supposed to speed up the drive transfer.
Re: (Score:2)
Olympus' warning... (Score:3, Funny)
For the customers you have the appropriate product is in trouble indeed grateful, bon appétit do so as follows: anti-virus support, thank you.
Translation issues aside, they do 'fess up honestly:
Cause
The lack of production management, computer virus has been contaminated with the camera.
Re: (Score:3, Funny)
But Sony said to run it (Score:4, Interesting)
"At the same time, consumers should learn to always ensure Autorun is disabled, and scan any device for malware before they use it on their computer"
But what if that malware, as it seemingly often is these days, is an actual intentional part of a product?
Re: (Score:3, Interesting)
And even if it isn't an intentional part of a product (I, for one, will never buy anything ever again with Sony's name on it; my daughter installed XCP on my computer, trusting that "reputable" company), I shouldn't have to worry about getting malware from a reputable company. I shouldn't have to scan a goddamned camera.
As usual the real problem is unnecessary crap (Score:5, Insightful)
Why isn't the memory card formatted and completely blank?
No, companies should stop selling memory cards with unnecessary crap installed.
Re: (Score:3, Interesting)
Why isn't the memory card formatted and completely blank?
Because it's getting more convenient for the user if the manufacturer ships the software on the device. Many laptops do not have CDROM drives. It can also save on packing costs not just for one unit, but for thousands of units. It allows more recent software to be shipped since and update doesn't require another CD manufacturing run..
No, companies should stop selling memory cards with unnecessary crap installed.
No argument there.
A Worm? (Score:2)
Olympus response (Score:3, Funny)
Olympus should send an Ubuntu CD to their customers.
Why can't MS make the radical decision? (Score:4, Informative)
On a fully secured (DEP, non Admin account, all updates) Windows machine, I can see "quarantined" items which all appear to be "autorun.xxx.worm" , pick anything you like. It is already out of hand.
If something happened like this on Apple OS X land, Apple would roll out an operating system update and disable Autorun. Perhaps, they could show a help document about installing applications with double clicking.
Shrink wrapped/boxed software is _dead_. Even if it is not dead, it is trivial to add the "install software" control panel back. Just a line needed to be on box or "driver cd". That is all. It won't be the first time some convenience is given up for security. How many times people install the same software anyway?
Re: (Score:2)
At this point in my life when I see the same old things broken and no real fixes from Microsoft (short of taking things into your own hands and disabling it yourself -- something Grandma will never do) I wonder if the internet has been responsible for too many casual "push it out, fix it later" attitudes. The average
Re: (Score:2)
Sounds better the way Benjamin Franklin said it; "He who gives up freedom for safety deserves neither."
So, I guess we are saying Freedom is not Convenient?
It happened on Apple first. (Score:3, Interesting)
If something happened like this on Apple OS X land, Apple would roll out an operating system update and disable Autorun. Perhaps, they could show a help document about installing applications with double clicking.
There were Apple viruses as of the original Macintosh, which had a similar feature for automatically loading drivers, software updates, and such.
They've been there, had that done to them, and moved on.
For some reason it took Microsoft decades to get the same message.
Re: (Score:2)
Shrink wrapped/boxed software is _dead_.
It's easy to assume that your experience is the same as everyone else's, even when it is not. If no one is buying shrink-wrapped/boxed software, why do stores (in the US) like Best Buy, Circuit City, and Target still have large selections of it in stock?
Windows 7! (Score:2)
I heard it no longer enables autorun on USB drives by default!
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Interesting)
This is how I fix it:
Start->Run->gpedit.msc /force
Local Computer Policy->Administrative Templates->Windows Components->AutoPlay Policies
Turn off Autoplay -> Enabled, all drives
Don't set the always do checkbox -> Enabled
Turn off AutoPlay for non volume devices -> Enabled
Default Behavior for AutoRun -> Enabled, set do not execute any autorun commands
gpupdate
My beef is why this is not the default on all Windows machines. AutoPlay and AutoRun are separate entities, so one needs to ma
It's not a worm.... (Score:2, Funny)
Re: (Score:2)
Comment removed (Score:4, Informative)
The larger problem (Score:2, Insightful)
Everybody harping on autorun. The larger problem is insecure defaults. Autorun hasn't been nearly as bad as "Hide file extensions". For people like myself, it lead to filenames like foo.txt.txt before I realized that stupidity was turned on. For people who weren't paranoid enough, it was the legendary HotChick.jpeg.exe kind of stuff.
But I digress. The real problem is poor default choices. Again and again. MS needs to realize that you can't pander too much to the very stupidest users who haven't used t
Hmm. (Score:2)
Amusingly, this sort accidental infection would be totally prevented if media (including SD cards, device internal storage, etc) were shipped unformatted, just like it was back in the days of floppies.
It wouldn't really be a big deal: First time you switch the device on, or insert the thumb drive, or whatever, it/your computer simply formats the media. Done.
This would obviously not stop a more sinister (firmware-based) attack, but I see nothing here to indicate that this particular attack vector was delib
Re: (Score:2)
Re:Keep It (Score:5, Funny)
"So I took it back to Best Buy "
I'd post AC too if were I admitting that. Eeew.
Re: (Score:2)
Re: (Score:2)
gee thats a nice website you have... (Score:3, Informative)
it would be a shame if 30,000 pissed off geeks were to hit it (or do any number of "interesting" things to it)
[Picture of nice store front] This is your webstore
[Picture of smoking hole] This is your webstore on Slashdot
Re: (Score:2)
"No, I'm not time wasting, I'm slashdotting for the benefit of mankind!"
Linux had that functionality (Score:2)
Well, Redhat Linux, back when the time they were shipping a Desktop Linux (5 I guess) had that neat idea of autorunning software from CD. Quake 3 from Loki did it.
Of course, as Redhat (and other vendors) have normal logic, they saw what is coming and it became a thing of past very quickly.
The problem with MS is, they even "extend" the functionality let alone getting rid of it. There is a huge risk of endless BSOD/system freeze in case of corrupt media since they made sure Windows Vista+ will check the conte
Re:Linux (Score:4, Funny)
Jesus, don't you guys ever get tired of bashing windows?
Not as long as the ongoing barrage of malware built on Windows bugs continues and the PHBs of the world keep shoving Windows "solutions" down our throats at work while the bulk of computer-using humanity continues to use it at home.
Once it's no longer a blight on humanity we'll stop telling everybody what a blight on humanity it is. (Maybe we'll occasionally reminisce about what a blight on humanity it WAS, once that utopia arrives. B-) )
Re: (Score:2)
If by, "blight to humanity" you mean easy-to-use operating system that does everything I want it to and allows me to play the newest games... Anyway, if you had just as many grandmas and idiot porn addicts using Linux as you have using Windows, you'd have the same problems we do. It's just that Linux-using porn addicts usually know not to allow "free-sex-tonight.jpg.exe" to run with admin privileges when running windows. And they usually won't "CLICK HERE TO SEE MY WEB CAM! OMG WTF BBQ!" Many Windows users just don't have the knowledge.
Nice contradiction...
Re: (Score:2)
It's like you're a scorned lover or something.
Quite the opposite. I've made a good living for many years off of the shortcomings of Microsoft's operating systems.
Re: (Score:2)