Slashdot Mirror
Windows Security Holes Go Mostly Unexploited
murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."
Unexploited == unpatched?
I know the difference, but I'm wondering what percentage of the unexploited are also currently unpatched?
Perhaps all the black hats are just saving up for, MWHahahaha, World Domination.
Its so bad, that if you install win98 on a fresh machine, password protect and share the C drive, and connect to the internet, you can get this variant within 5 minutes. Opaserv exploits a shared drive password flaw, and has full access to the machine. Then it will ruin the CMOS and main hard drive partitions.
From my tech support experience, this year has been the worst for exploits.
My girlfriend's Windows 2000 machine was hacked about a month ago by script kiddies exploiting one of the recent exploits in a Microsoft product. They then installed 2 apps, a ghosting app that hides any application from the Taskbar and Tasklist, and mIRC with hacked up startup scripts to allow remote control when connected. They used the ghost app to hide itself and mIRC. Whenever she turned on her computer, it would load mIRC, hide it, then connect to EFNet. Then shortly after someone who would see it connect, would use it to mass-ping hosts in an attempt to DoS someone.
Needless to say, for the week this was going on, I noticed serious network problems at home. And pinpointed them to every time she turned on her computer, the network would lag to a stop. Finally after researching it I discovered what was going on.. I found the channel these guys hung out in, and she wasn't the only victim. They had a few hundred hacked users they could control.
So when I see reports like this, I suddenly get a whiff of steaming horse shit.
..There's a-dooin's a-transpirin'
I'm sysadmin at a public library with public dialup access. They get Klez by the dozens every month so I wonder where the writer is looking for 'typical users'? I'm sitting in a rural parish (county for the rest of the US) in LA and have a pretty typical bunch of 'end users' in our population with the one exception that I try as hard as I can to educate them as to the evils of Outlook (which falls on deaf ears) and pass out CD-ROMS and setup manuals documenting Netscape for web & E-Mail (which they ignore, whining about having problems getting Outlook Expresss configured.). The only concession to unsafe computing is that I do give detailed configuration steps on getting IE past our federally mandated filtering system because I know that a lot of sites and third party software depends on IE.
Democrat delenda est
Aside from pissing off the odd script kiddy in IRC or on some online game, why would anyone feel the need to hack or exploit my PC? There's nothing there of any import. And I doubt there is on 99.9% of all home PCs out there.
What are they gonna do? Edit someones Sims save file to make them 6 year old girls? I've been DDOS'd and had various exploits tried against me in the past. The worst they could do is annoy me.
I mean, rock-solid security on your OS is all fine and good.. But I don't wear a bulletproof vest either, and it's ok, because I hardly ever get shot at.
I don't need no instructions to know how to rock!!!!
I am then subjected to dozens of e-mail scanning auto-responders telling me I have a virus, auto replies from people I've never heard of, and the occasional jerk who thinks they know everything screaming at me in e-mail telling me I am stupid for letting myself get infected.
The fact I am also the postmaster admin to 13,000 users means I get users contacting me in a panic thinking they have a virus because one of the three above things happens to them. This, despite a faq and notices on intranet etc etc that this thing is out there.
Klez is probably the primary reason I am starting to hate Microsoft. It doesn't matter if my computer and all computers I am responsible for are completely patched and that my mail gateway blocks it, I still get to be a victim indirectly, and I doubt we'll ever see the entire planet fully patched.
Actually hacking home users is a good place for a newbie-hacker (or script-kiddie or whatever) to learn. Much less chance of being caught, and if you screw up you can just wipe the machine since most likely there aren't backup logs.
Microsoft secretly loves Linux because OSS development sucks all the brainpower away from malicious anti-Windows activities and focuses it on innocuous projects that can do them no harm. Why crack Windows when you can get the same peer respect and feeling of civil disobedience by developing for Linux?
A lot of the potential exploits would fall at the first two hurdles above. For instance, by setting Outlook (Express) to use the Restricted Zone, you've already plugged several holes.
This is not to excuse Microsoft for creating the holes in the first place. Particularly odious are those related to allowing scripting to be performed in places where it makes no sense whatsoever, eg. Windows Media files. That is not a case of sloppy coding, that is bad design from the get-go.
Sad to say, even if Microsoft fixed all the outstanding holes tomorrow, you will still need to have a firewall and anti-virus software, because the malware will continue regardless, until such time as we all move to a platform that is secure by design. (And, no, in truth that platform doesn't exist yet)
-MT.
Most companies were taken off guard by several of the major viruses and worms over the past 4-5 years. ILoveYou, Nimda, CodeRed, etc. But after each major hit things were done not just reactively, but also proactively.
Virus scan engines were updated, email servers had attachment blocking filters installed, patches were installed, etc.
There has been a slew of updates made available to applications like Outloook, Outlook Express, IIS and so forth which disable many of the features that these exploits took advantage of. The Outlook 2k security update, default permissions in OE 6.0, IIS Lockdown wizard, URLScan, etc.
Then you have a whole slew of administrative utilities such as HFNetChk from Microsoft/Shavlik to test systems for patches and various tools(HFNetChk Pro) to do reports on large numbers of machines and push out patches.
I do agree that the security finders tend to overstate the impact, but it's still important to react to the issues. The conclusion that wired really should be making is that we've learned lessons and learned how to better prepare and respond. That's why their are fewer major problems.
Sounds like you've gotten so 0wn3zd your're not even getting the logs anymore. Probably fairly soon after those first portscans you saw. Or maybe your ISP is running a firewall for you? But if I was suddenly seeing less than a dozen attacks per day, frankly, I'd be pretty sure I wasnt seeing the real picture.
So I guess under this logic it would be perfectly fine to install doors and windows in your house with no locks at all because your neighborhood doesn't have home break-ins or invasions?
Waaaaay back in 1997, there was a problem with a version of Lasso (a 3rd-party database-access CGI) that could be exploited. I believe it was discovered during a 'hack this Mac web server and get $10,000' sort of contest-- it was so long ago, I don't really remember the details, but it has been done. This hole was closed very quickly with an update to Lasso.
People just using the web service built into the Mac OS, however, have never had anything to fear. Unlike IIS, Personal Web Sharing and the AppleShare IP Web Service were always airtight.
~Philly
You no finally someone actually understands and sees the real problem. Too many geeks are in corporate IT security. We are still waiting for security to be integrated in the products. Unix certainly does not have it, Windows at least reports a whole lot better than unix and that's half the battle.
I don't hire security experts because of their bug hunting ability, I want tangible results.
they don't notice these viruses.
oh, they'll notice klez - when their computer doesn't load windows anymore because a system file has had '0's added to it
klez is a mean one - i have experienced two infections (clients) - the first was a totally unrecoverable drive. all files were visible, but they would not open (all that pr0n <shakes head>)
the second was noticed when quickbooks gave a specific error and would not open. tech support stated it was klez. i was skeptical, and booted from a norton antivirus 2003 cd which said the computer was clean. had to disable system restore, restart in safe mode and run fixklex.com to detect over 700 infected files. about 200 could not be repaired and were deleted
i agree the assertion that windows does not get hacked is ridiculous.
this may be a redundant comment..but perhaps people are getting better at designing better rootkits. Not that it is so needed on a Win32 Systems, how many times have you really gone through your process list in Windows 2000?
:P
But the point still stands, perhaps hackers are just getting better at hiding themselves, I have seen a LOT of example code for hiding in a Win32 system, whether it's processes, files, directories, ports, etc...it can be done without too much effort.
just a thought
proxy
Every thing that accesses the keychain at least does.
If Mail has been changed or tampered with, if AIM or ICQ or iChat, etc, etc, it asks me 'should I allow this program access to the keychain'?
Of course I dunno if this is robust or reliable, but it seems to exist.
GPL Deconstructed
antivirus software in the last 20 years of my work. To date, I've probably lost about 3 man months due to antivirus programs interfering with proper and efficient computer operation. I've lost two days to virus attacks. The only viruses that the programs have ever detected on any of my machines were in emails that I would never have opened and even that has only occured a half dozen or so times. When was the last time you read an article about the threat of viruses that was written by someone without a vested interest in your fear?
At work we have to disable some users accounts on the wireless data networks who have viruses. They consume too much bandwidth, resource hogs. We run reports, and every day anyone who displays virus/trojan behavior, we shut them off.
We can tell from the users profile if its a p2p network program, or a virus, viruses dont portscan your entire network, or spam your smtp servers.
Many users have found things such as back orafice, or other remote programs. Lucky its easier to watch for this when you own the entire network, for an ISP, it would be much harder.
YMMV.
Dead-on, Doc. Herein lies the question: At what point does developer responsibility depart from user education? It's a dicey and subjective topic, but luckily we can learn from Microsoft's mistakes; they developed for the least common denominator user which is why they're having to fix so many security flaws.
So we're back to the question that so many hackers don't care to bother with: What do you do when you want Joe_Newbie to use your software (assuming of course that you even care whether Joe_Newbie uses your software...which is another debate for another day) but in order for that to happen, you have to dumb down your software to a level that might piss off
Great post. I really wish the BSD folks made installation as painless as RH or Mandrake so I could convince my friends to try it.
--K.
Sig: Bad people happen. Try to avoid being one of them.
Judging by the apache logs on my machines I'd say there are plenty of people quite clueless about code red or nimda to this day. I see thousands of hits/day from these two still and these have to be coming from machines that appear to be "normal".
One of the things that annoys me the most is the number of reported holes that are caused by buffer overflows. There's simply no excuse for them this decade! If you don't have a good enough quality control process to test for them all, and MS doesn't, you shouldn't let your people write code in C! Don't get me wrong - I really *like* C, and I've been using it for over 20 years. It's a great language for a lot of things, including compact, efficient, clean, obvious code, and it does let you shoot yourself in the foot. But if you can't keep your people from shooting, and can't tell where the holes are, and can't tell whether all your feet are intact, it's not the language for you. And if you want to use C++ or C-- or C-sharp or C-dull, and you don't enforce the use of safe I/O and copying methods, don't do that either. (By the way, this rant applies to Linux as well.)
Esther Dyson has her signature-line about "Always make new mistakes". Buffer overflows and testing for maliciously formatted input aren't new mistakes, folks! They're CS100 material, the first thing you should be learning after you learn how to do arrays and input functions. (And I learned my programming in PL/I, an language that won't let you overflow buffers.) At least make the bugs interesting, like race conditions or something! Accepting input that abuses ..s in directory paths when they shouldn't be there isn't a new mistake, and it's one of the most common bug reports I see that aren't memory-related.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I've mentioned my wife a lot lately on these forums, and, while I hate to be doing it again... I must.
Admittedly, I am not an uber-tech. I'm Brainbench Linux Certified (as if it means anything), and I've got almost a year's worth of experience under my belt. I've set up a handful of servers using RedHat whatever's new at the time.0 to run Apache, PHP, MySQL, Samba and IPTables, but really, I struggle with just about every new error message that runs across the screen (though it's getting easier).
If you want to be less removed from the "normal" user experience, just use someone you know that's not as technical. I use my wife for this. We tried RH 6.0, and she hated it. She liked 7.1 better, but didn't know what she was doing. Eventually, she got fed up and wanted it off. RH8 came out and I had her try that. She loves it. It was, in her words "easy to use, easy to figure out". Granted, there's not that big a difference in the usability of 7.1 to 8.0, but in a lot of ways, it's huge. Bluecurve is exactly what she needed (and, I suspect, exactly what a lot of other people do too) to make Linux enjoyable for her.
My power supply just died in that computer, so she's been relegated to using a slower computer (running Windows) for the past two days until my new supply gets in, and she misses Linux. She misses the games, and the way that they work, and all the other wonderful things that it offers. She doesn't know anything beyond the gui, and she doesn't need to. It works for her.
Anyway, now I'm really rambling... but my point was, if you want to get back in touch with the end-user experience, get in touch with an end user, and if you can get them to donate some of their time to try it, you'll find their opinions are easily voiced.
Sorry for the long rant about nothing...
-9mm-