Novell accidentally ships virus to customers

For those of us who like to be on the cutting edge of technology, Novell offers a subscription plan to the Software Evaluation and Development Library (still usually referred to as the SEL, because it was formerly called the Software Evaluation Library).

Annual cost is between $250 and $400, depending on the level of support you want (the product itself is the same). It’s not a bad deal to have all of Novell’s products available for installation in your test lab. You can even use the disks to install or replace fully licensed software provided you have your license disks. That makes it quick and easy for those supporting numerous sites or multiple installations – you have the master files at hand when needed.

A couple of weeks ago, I got an odd e-mail message from the “Novell Technical Subscriptions Team” telling me that they had discovered a “technical defect” in one of the CDs shipped with the May package (new CDs are issued as needed, but generally some parts of the multiple CD package are updated each month).

It appeared that there was a problem with the files for Novell Extend Director 4.1 Standard Edition since we were told to use the version shipped on newer CDs, in both June and July. There was also a URL given for those who had installed the “defective” application with instructions to visit the Web site “to obtain important detailed information about the defect.”

The little detail Novell didn’t mention in the e-mail message was that the CD was infected with a virus.

https://support.novell.com/subscriptions/subscriber_resources/breakdown/2003/cd1d_defect.html

Call me old fashioned if you will, but to me “technical defect” means a bug or perhaps an error in a script. It doesn’t mean, “Oops! We let the W32.ElKern.4926 virus loose on your network!”

The message did mention that the “defect” should not affect most people because:

* The defect only affects two uninstall files for the AltaVista platform.

* The May CD was obsoleted and replaced in June.

* The most current version is found on the June and July DVD 1.

That’s little solace to anyone who did get infected, though.

Way back in 1991, as part of another subscription product (the NetWare Support Encyclopedia), Novell shipped the Stoned virus to customers. At that time the company vowed to take extraordinary steps to ensure that it never happened again. But it did.

Now Novell wasn’t the only one shipping infected disks 12 years ago; even Microsoft let one slip out the door, as did other software vendors. But it really shouldn’t be that onerous a task to scan the files before they go out the door today.

Novell claims the files were scanned and the virus was detected but a communications mix-up led to the wrong files being replaced.

So why wasn’t the scan done again? NetWare managers know that when there’s a disk problem requiring you to run Vrepair that it should be re-run and re-run until the error count goes to zero. That’s the least Novell should require of its antivirus program for software shipped to consumers.