On the other hand, if media hype were the cause of the misconception, why do users seem oblivious to it? Case in point, both Blaster and Sobig have been heavily advertised and both were easily avoidable: Blaster via a patch that had earned unprecedented media attention in the weeks leading up the the actual worm, and Sobig by the simple and equally well-advertised blocking or deletion of executable file types.
The blame certainly doesn't lie at the feet of the antivirus vendors either. One has only to look at the continued prevalence of Klez.H, initially discovered in April 2002, yet today still topping the "top ten" charts published by antivirus vendors. Put another way, protection for this worm has been available since April 2002, yet 18 months later, in October 2003, the worm is still one of the most prevalent viruses actively affecting users.
This begs the next question: If users and system administrators refuse to patch or protect their systems, should Microsoft be held accountable?
A common misconception exists that somehow insecurity is introduced by Microsoft. This argument ignores the perpetrator, who seeks to victimize as many machines as possible. Indeed, the hallmark of a successful worm is its ability to infect a large number of systems. It is, if you will, the very reason for its being. Considering the large numbers who use Microsoft systems and products, it seems only natural that virus writers and hackers would focus their efforts on compromising the widest number of systems in use, rather than waste their efforts on system software that is not widely deployed.
This can best be demonstrated by looking closer at the history of the Internet, its security, and the implications for malware that were present long before Microsoft became the dominant operating system. First, it is important to note that during the "development" of the Internet, Microsoft was a little-known computer startup. In fact, Microsoft did not even have a website until 1993. Further, the founders of the Internet, the U.S. Defense Advanced Research Projects Agency (DARPA) and the U.S. National Science Foundation (NSF), focused on communications, time-sharing, and the ability to access programs and data on remote computers. They did not, at any point, focus on the security of those communications nor of that data.
