Slashdot Mirror
Windows Security Holes Go Mostly Unexploited
murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."
As a contractor doing technical support for an ISP, I will attest to the fact that home users are hit very hard by problems such as Klez.
It's an epidemic.
On the other hand, we know of surprisingly few cases where machines were exploited on the network for other types of obvious security holes.
"We know of" being the key phrase.
The article mentioned does not specifically discuss Windows security holes (as the title of this thread suggests), but rather security holes in general, and goes on to mention the Linux Slapper worm in particular.
I find this typical of the slanted, Microsoft-bashing nature of posts here on Slashdot!
As we speak, someone is changing the news options on the RIAA website. However, they don't seem to be stopping them from doing it. I did grab a shot of a particularly amusing one though.
Oh, and just so everyone knows.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Despite the thousands of known exploits and virii...
Public Memo:
Its "viruses", not "virii". Repeating, "viruses".
Did you also get the memo about the TPS report cover sheets?
Skiers and Riders -- http://www.snowjournal.com
because they don't notice these viruses.
Very true. I worked a temp job doing warranty repairs on Gatway PCs (and wouldn't recommend a Gateway to my worst enemy). Sadly, since the Gateway Country stores don't employ any computer literate people, over half of the systems we were to "repair" involved popping in the restore CD.
But at the time (a few months back), I'd say about 10% of them were Klez-related (in order to tell the user what was wrong, we had to do a diagnosis including virus scan as a first step).
As well, my dad has restored his PC a multitude of times in the 3 years he's had it. He of course thinks it's because Microsoft sucks, or "that new MSN upgrade broke my system", but in reality I think it's because he'll download anything and everything he can get his hands on (he just loves that Bonzi buddy thing... ugh)
My point simply being that most of them probably didn't even know they were infected/exploited (I'm sure most don't read the paperwork we sent back). These statistics come from where, exactly? How many joe-sixpack users, who have already been ridiculed by their geek friends, are going to admit in a survey that they were stupid enough to click on the attachment against everyone's advice?
I just have to wonder where the stats come from. If it's from Wired readers, I'd say it's skewed as their average reader-base is probably a bit more savvy than average.
Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.
And since Code-Red, Nimda, etc use a semi-random IP selection routine, attempting to stay close to the current IP, home cable/DSL networks are the most affected. My DSL still logs around 80-100 attempts on port 80 per day (keeping in mind Nimda tries several variations per attempt).
Also, the majority affected aren't aware that they are even running a web server at all, much less that they're infected (and spreading infection). To this day, I can go to each IP in my logs, and see the IIS default page on the vast majority (indicating they aren't running IIS for a reason, and likely aren't aware that it's there).
Finally, I just want to say that just because not everyone has been exploited, should mean that we should look at the situation any lighter. The Code Red thing should have been a serious wake-up call to Microsoft. Same with iloveyou, melissa, et al. These things were highly public, and should have been viewed as a major fiasco. Maybe the scene has toned down in the last year or so, sure, but that doesn't mean we should just not worry about it. Hopefully not too many people will read the Wired article and become more lax in their practices...
NGWave - Fast Sound Editor for Windows
Yeah, the guy's obviously making it up.
And since it doesn't exist, there's no reason for MS to release a patch to fix the vulnerability, right?
Obviously, you're intelligent and checked Google before flaming away.
Your wrong, home users do have something that is worth stealing, bandwidth anonymouty.
Currently hackers use exploited/infected machines to abuse their bandwidth, and remain anonymous. The bandwidth is used for ddos attacks, you would be surprised what 500 infected cable customers machines can do to almost any network, regardless of its size.
There are also trojans that run as proxy servers and mail relays, to be abused by spammers to send mail and annoying messenger spam out, since it always looks like it came from an infected machine, and there are never logs on said infected machine.
I came, I conquered, I coredumped
They pointed out the real problems, like KLEZ. But that wasn't the point. The point was that out of the thousands and thousands of supposed security holes very few are ever exploited. They said nothing of the destructive power of the holes that were exploited.
Boobies never hurt anyone. - Sherry Glaser.
thats fine, until they load up a program that does something illegal, and the feds kick down your door, take your computer away and say "Prove it wasn't you"
The Kruger Dunning explains most post on
- Anti-intrusion systems should be built into the OS.
This is a very, very good point. So far, the only systems I've installed that automatically install intrusion detection of any reasonable sort are Mandrake Linux and OpenBSD. I've been particularly impressed with OpenBSD's daily reporting facilities. By default, it mails a "daily insecurity report" and daily status report on your network interfaces and basic system information to me. In addition, when installing OpenBSD packages, the packages spit out a little blurb after they install, explaining what is left to configure the package, any general security concerns, and suggestions on additionally securing the service. It even installs those packages with decent default security settings. My only complaint is that I have difficulty recommending it, at this point, to my friends who are less experienced in the UNIX world.The political baggage OpenBSD carries with it is rather unfortunate, but I note that after I am port-scanned on my OpenBSD box, I've never had an intruder attempt to use an exploit. Meanwhile, my GNU/Linux box routinely has crackers (unsuccessfully) attempt to do some well-known Apache exploits or attack my mail server. Oy, veh, annoying.
I think that user education is also critical for any operating system. Although you don't expect users to become security experts, it is the responsibility of the distribution designers to make sure the security information reported by their system is concise, easily understood, and presented in an obvious but non-annoying way.
Matthew P. Barnson
I learn what I think when I read what I write
My lab used to have an unprotected DSL with out-of-the-box RedHat 6.x and unprotected Win95 boxes on it that we used for testing things. As far as I could tell, nobody ever successfully hacked the Windows box, and when I was running ZoneAlarm, it'd detect a lot of doorknockers but no real attack - No surprise, because we had file-system sharing turned off, a relatively obscure freeware web server, no Napster/Kazaa/Gnutella/Morpheus/etc., and not much else useful on it except clients so not much to crack.
But the main Linux box got broken into all the time - I eventually changed its name to "Kenny" because it was getting brutally killed every week. As far as I could tell, nobody seriously bothered it once I upgraded to RH 7.1 in a medium-secure mode (I didn't install FTP servers, for instance, and Apache didn't have any web pages complex enough to be exploited), but by then I wasn't doing much complex, and I'd replaced the highly reliable Pentium-66 with an faster el-cheapo machine that often died on its own so it wasn't available to crackers.
The most common attacks I was aware of were some rootkit followed by installing Staecheldraht DDOS and some IRC bots. (And after I'd wiped out Staecheldraht a couple of times, the loser got annoyed and wiped out my disk drive once.) I noticed the initial attack because one of Kenny's P66 cousins was used to run a tcpdump sniffer to monitor the LAN and it kept doing ICMP to machines at universities. At least one of the rootkits "fixed" ls and ps to not report on its directories and processes, but forgot about some other utilities like /proc, and forgot about semantics problems like
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks