The erroneous McAfee antivirus update sent to corporate customers running Windows XP Service Pack 3 last week wreaked havoc on a lot of businesses, temporarily shutting down a supermarket chain in Australia, delaying surgeries in Rhode Island hospitals and sending IT departments across the globe scrambling to repair PCs. In a series of blog posts--the latest one being an apology from McAfee President and CEO David DeWalt, on Friday--McAfee tried to explain what happened and what it plans to do to avoid such fiascos going forward. But the debacle has left a lot of industry observers--not to mention the enterprises that were affected--wondering if there are larger lessons to be learned.

The erroneous update wrongly identified a Windows system file as a threat and quarantined it, causing PCs to shut down and then reboot repeatedly. This type of problem wouldn't have happened in the 1990s before businesses elected to give outside software firms control of their PCs via automatic updates, Bob Sullivan points out in a blog post at MSNBC.

"The root of the problem lies in a critical decision made a decade ago by security professionals. But the result--perhaps millions of PCs rendered useless, each one requiring manual repair--is just the latest sign that bad guys seem to be winning in cyberspace," Sullivan writes.

As long as companies give outside software makers automatic access to their PCs, this type of danger lurks. And, as the variety of malicious attacks grow, security companies may make mistakes as they attempt to keep up with the bad guys, Sullivan reports. While this may shake one's faith in security companies, stripping PCs of automatic antivirus updates won't leave them better protected, some analysts warn.

McAfee's David DeWalt said in his post Friday that the company is deploying additional quality assurance measures for updates that have a direct impact on critical system files. It is also beefing up its technology to avoid "false positives" or the misidentification of legitimate software as a threat.

The likelihood that quality assurance procedures will fall short may be on the rise, Larry Seltzer cautions in a post on PCMagazine's Security Watch blog. "It's hard to think of a worse single configuration to leave out" than testing last week's update on Windows XP SP3," he writes. The cat-and-mouse game between malware authors and security firms may be racing out of control.

"The nature of malware has forced AV vendors to push out ever more frequent definition updates, to the point where Symantec's 'pulse updates' come out every 5 to 15 minutes," Seltzer writes. "The pressure to keep up with malware-not to mention the pressure to keep costs down-can lead vendors to scrimp on testing."

While rival vendors appear to be taking advantage of McAfee's misfortune, Seltzer advises against believing that any one of them is immune from errors.

For more:
- see Bob Sullivan's post at MSNBC
- see David DeWalt's post at McAfee's Security Insights blog
- see Larry Seltzer's post at PCMagazine's Security Watch blog 

Related Articles:
McAfee AV update fiasco brings down thousands of systems
Symantec and McAfee in heated race
BitDefender update breaks 64-bit Windows
Virus scanning service designed for malware writers