Windows Security Holes Go Mostly Unexploited

murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."

And how many

[TerryAtWork]

of these holes are exploited by adults who are quiet about it instead of big-mouth children?

Re:And how many

[JoeBuck]

If your Windows PC has a fast (DSL or cable) connection, it may well be one of thousands of machines owned by some jerk who wants to use it to launch DDoS attacks. Its owner may never notice any difference: it appears to operate normally, only sometimes the web seems a bit slower than expected. The attacker has an interest in having the machine appear to be "normal".

Re:And how many

[glesga_kiss]

99% of Windows users have no way of knowing if they're compromised!!

Woopiedoo. What percentage of Linux users installed Tripwire or similar first when they built their box? How will those who didn't notice that they are compromised?

Anti-intrusion systems should be built into the OS. "This binary has been tampered with, refusing to run it" is what we need, but somewhere in a happy medium between that and the "trusted computing" that is creating fear amoungst the geek comunity.

Re:And how many

[Doc+Hopper]

• Anti-intrusion systems should be built into the OS.

This is a very, very good point. So far, the only systems I've installed that automatically install intrusion detection of any reasonable sort are Mandrake Linux and OpenBSD. I've been particularly impressed with OpenBSD's daily reporting facilities. By default, it mails a "daily insecurity report" and daily status report on your network interfaces and basic system information to me. In addition, when installing OpenBSD packages, the packages spit out a little blurb after they install, explaining what is left to configure the package, any general security concerns, and suggestions on additionally securing the service. It even installs those packages with decent default security settings. My only complaint is that I have difficulty recommending it, at this point, to my friends who are less experienced in the UNIX world.
The political baggage OpenBSD carries with it is rather unfortunate, but I note that after I am port-scanned on my OpenBSD box, I've never had an intruder attempt to use an exploit. Meanwhile, my GNU/Linux box routinely has crackers (unsuccessfully) attempt to do some well-known Apache exploits or attack my mail server. Oy, veh, annoying.
I think that user education is also critical for any operating system. Although you don't expect users to become security experts, it is the responsibility of the distribution designers to make sure the security information reported by their system is concise, easily understood, and presented in an obvious but non-annoying way.

In other news

[Exiler]

Thousands of people are in dark alleys every day and rarely are any shot, raped, mugged or sodomized.

Re:In other news

[Telex4]

Well put :)

The fact that the bugs go unexploited is a good thing, but it does not excuse the bugs. People are unlikely to want to switch from Windows to another OS simply because there are lots of security holes, because they rarely encounter them. From your average user's point of view, they're no big deal. But that doesn't excuse Microsoft from allowing them to exist, just as the low number of rapes doesn't excuse governmental organisations from allowing dark alleys to exist. Every rape is tragic. Every bug exploited is of course not as tragic, but certainly an inconvenience for the victim, and at times a rather large financial problem for companies.

Well yeah,

[autopr0n]

because they don't notice these viruses.

Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.

Tons of people are infected with viruses and spyware (now that shit should be illigal, god damn) but they never notice or care, as long as their computers keep working.

Re:Well yeah,

[sfe_software]

because they don't notice these viruses.

Very true. I worked a temp job doing warranty repairs on Gatway PCs (and wouldn't recommend a Gateway to my worst enemy). Sadly, since the Gateway Country stores don't employ any computer literate people, over half of the systems we were to "repair" involved popping in the restore CD.

But at the time (a few months back), I'd say about 10% of them were Klez-related (in order to tell the user what was wrong, we had to do a diagnosis including virus scan as a first step).

As well, my dad has restored his PC a multitude of times in the 3 years he's had it. He of course thinks it's because Microsoft sucks, or "that new MSN upgrade broke my system", but in reality I think it's because he'll download anything and everything he can get his hands on (he just loves that Bonzi buddy thing... ugh)

My point simply being that most of them probably didn't even know they were infected/exploited (I'm sure most don't read the paperwork we sent back). These statistics come from where, exactly? How many joe-sixpack users, who have already been ridiculed by their geek friends, are going to admit in a survey that they were stupid enough to click on the attachment against everyone's advice?

I just have to wonder where the stats come from. If it's from Wired readers, I'd say it's skewed as their average reader-base is probably a bit more savvy than average.

Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.

And since Code-Red, Nimda, etc use a semi-random IP selection routine, attempting to stay close to the current IP, home cable/DSL networks are the most affected. My DSL still logs around 80-100 attempts on port 80 per day (keeping in mind Nimda tries several variations per attempt).

Also, the majority affected aren't aware that they are even running a web server at all, much less that they're infected (and spreading infection). To this day, I can go to each IP in my logs, and see the IIS default page on the vast majority (indicating they aren't running IIS for a reason, and likely aren't aware that it's there).

Finally, I just want to say that just because not everyone has been exploited, should mean that we should look at the situation any lighter. The Code Red thing should have been a serious wake-up call to Microsoft. Same with iloveyou, melissa, et al. These things were highly public, and should have been viewed as a major fiasco. Maybe the scene has toned down in the last year or so, sure, but that doesn't mean we should just not worry about it. Hopefully not too many people will read the Wired article and become more lax in their practices...

The reason is ...

[tomhudson]

That's because there are SO many exploits to choose from. Nobody has the time (or need) to exploit all of them :-)

Re:Good thing

[tshak]

That's not the point. The point is that these flaws are not necessarily practical to exploit, or can't be because of a firewall/NAT.

This doesn't mean that Windows' security doesn't need a LOT of work - it does. It's just that practically speaking many exploits are not "the end of the world" as many news sites (*cough*) would like to make it seem.

Lies, foul lies.

[J.+T.+MacLeod]

As a contractor doing technical support for an ISP, I will attest to the fact that home users are hit very hard by problems such as Klez.

It's an epidemic.

On the other hand, we know of surprisingly few cases where machines were exploited on the network for other types of obvious security holes.

"We know of" being the key phrase.

Sooner or Later

[robbyjo]

Experts who discover and report security holes seem to be far more industrious than the malicious hackers willing or able to exploit those holes.

The problem is that the article fails to mention that if the holes are not fixed, sooner or later the so called malicious hacker will find it and exploit it *quietly*. This is dangerous thing.

IMHO, better to expose it and then *quickly* fix it rather than do nothing.

The problem is now that Microsoft knows (or being told) about the holes but often takes a very long time to fix it and sometimes ditch the bugs as "unimportant". This is even worse as this *will* give a plenty opportunity for the hackers to implement the exploit.

What a load of horse feces

[antis0c]

My girlfriend's Windows 2000 machine was hacked about a month ago by script kiddies exploiting one of the recent exploits in a Microsoft product. They then installed 2 apps, a ghosting app that hides any application from the Taskbar and Tasklist, and mIRC with hacked up startup scripts to allow remote control when connected. They used the ghost app to hide itself and mIRC. Whenever she turned on her computer, it would load mIRC, hide it, then connect to EFNet. Then shortly after someone who would see it connect, would use it to mass-ping hosts in an attempt to DoS someone.

Needless to say, for the week this was going on, I noticed serious network problems at home. And pinpointed them to every time she turned on her computer, the network would lag to a stop. Finally after researching it I discovered what was going on.. I found the channel these guys hung out in, and she wasn't the only victim. They had a few hundred hacked users they could control.

So when I see reports like this, I suddenly get a whiff of steaming horse shit.

Why...

[intermodal]

why does this headline sound like an invitation?

In a related story

[frovingslosh]

Most Chevy Geo's are not broken into or stolen, so it would be OK for GM to just use the same key on them all, giving the owners the illusion of security.

There is a reson for this

[SeanTobin]

Let's think of all the benefits of hacking a home users computer:

• Steal the HS research paper on crop circles
  
• Grab secret financial information
  
• Use as a proxy to hide the hackers identity*
  
• Part of a DDOS attack*

Now, lets think of all the benefits of hacking a server/website

• 50000 working credit card numbers, names, and addresses
  
• Prestige in the community of linking to this prestigeous website.
  
• Setting up a high volume warez server
  
• Possibly getting media attention

Also note the last 2 reasons for hacking a home computer are really for working with servers. The truth is, not too many people really care about hacking your computer, unless its a means to an end.

ahem...

[GoNINzo]

Except when they are exploited, they might not be noticed for awhile. I've noticed one site getting hit for awhile now.

As we speak, someone is changing the news options on the RIAA website. However, they don't seem to be stopping them from doing it. I did grab a shot of a particularly amusing one though.

Oh, and just so everyone knows.

The biggest issue I have with Klez is the forging

[weave]

My addresses show up on a lot of web pages and others' addressbooks, so not only do I get a lot of Klez messages, I get a lot of them sent out to others in my name.

I am then subjected to dozens of e-mail scanning auto-responders telling me I have a virus, auto replies from people I've never heard of, and the occasional jerk who thinks they know everything screaming at me in e-mail telling me I am stupid for letting myself get infected.

The fact I am also the postmaster admin to 13,000 users means I get users contacting me in a panic thinking they have a virus because one of the three above things happens to them. This, despite a faq and notices on intranet etc etc that this thing is out there.

Klez is probably the primary reason I am starting to hate Microsoft. It doesn't matter if my computer and all computers I am responsible for are completely patched and that my mail gateway blocks it, I still get to be a victim indirectly, and I doubt we'll ever see the entire planet fully patched.

public memo

[cr@ckwhore]

Despite the thousands of known exploits and virii...

Public Memo:

Its "viruses", not "virii". Repeating, "viruses".

Did you also get the memo about the TPS report cover sheets?

RIAA HACKED

[gulfan]

http://www.riaa.org/admin/press_and_news.html You can modify or post ANY news on the site now, the front page has GOATSE on it. http://www.riaa.org/ Do your worst :P

Re:Klez - What kind of virus name is this?

[baryon351]

klez always made me think of a bundled lesbian that came with KDE...

Exploits == Security Holes?

[Anonvmous+Coward]

One thing that bugs me a bit about this article is that it defines an exploit as a security hole. While this is true, the tone of the article makes it sound worse than it really is.

I mean, think about what an exploit really is: Somebody has taken a feature of Windows and turned it against the user or the user's machine. The problem I see here is that you can't have a totally secure machine and have all those fancy features you like.

I'll give you an example: I use Outlooks's to do list to keep track of my tasks. There's a feature where you can attach shortcuts to each task. I've found this handy, whenever I need to do my time sheet I just pull up the task and double click the shortcut inside of it. Now, in order to 'crack down' on security on my computer, I turned off a bunch of those handy-dandy features and found myself unable to launch that shortcut anymore!

Now, before you start saying "Oh, MS could easily fix that...", instead think about the real problem here. Either I don't use that feature at all, or MS has to think of every single malicious use of a feature and only allow the non-dangerous ones. Sorry, that's not a good solution. You're holding MS (or anybody else) responsible for other people's creativity.

I'm not saying that MS is unfairly given a bad rap for this whole topic. I think their default choices are ill-thought and have caused serious damage. However, it needs to be considered that there is always an inherent risk with any piece of software you use. It's not a matter of security holes, it's a matter of deciding whether or not it's worth the risk.

I, for one, would never underestimate people's creativity. I read about an insurance scam once where this guy got fire insurance for each of his cigars, over $1,000 a piece. Then he smoked them. He took the insurance company to court, and the judge reluctantly ruled that the insurance company had to pay the guy $12,000. Fortunately for the insurance company, though, they were able to charge him with arson. Heh he got a hefty fine ($10,000 ish? I don't remember..) and served jail time.

Now, if you think about this insurance company, you probably wonder why they didn't a policy about cigars or items that were meant to work with fire? Well, it's simple: They never imagined that somebody'd do that. The only way they could be fraud proof is if they were to clearly define the rules for every ridiculous outcome they can think of. Know what'd happen then? There would be people unable to redeem fair claims because their unusual case strayed outside the boundaries that are clearly defined. There would also be that one guy who figures out a creative way to buck the system anyway. The insurance company is far better off coming up with ways to deal with the eventual fraud instead of over-relying on their policies and laws to protect them.

So where does that leave us computer people? Well, it's simple: Using a computer is risky. Take a few risks but protect yourself. Worried about people stealing your credit card info on-line? My answer is not: "well don't use one then!" Instead, my answer is: "Get a credit card with a company that'll protect you in that event." Worried about data loss? Make backups once in a while. Worried about hackers breaking in on your always on connection? Use a firewall, but use common sense too. A firewall is the equivalent of shutting a few windows, it's not a structural reinforcement.

Total security is a pipe dream. Instead of blaming Microsoft, take some sensible precautions to minimize the damage done. The benefit here is that you protect yourself from damage that can happen outside of the exploit world. (Lightning strikes, hardware failure, children...)

Can't extrapolate this to determine overall risk

[Waffle+Iron]

In spite of 50 years of lax security, the U.S. airline industry has traditionally had little problem with hijackings and bombings. What can we learn from this statistic? As things turned out, not much.

Likewise, every remote root exploit makes it technically possible for this to happen. Even if relatively few people are being hacked by script kiddies today, that says nothing about the odds of a highly skilled attacker pulling off a single massively devestating attack.

This report is no reason for complacency.

Re:Maybe I'm an exception, but...

[Znork]

Sounds like you've gotten so 0wn3zd your're not even getting the logs anymore. Probably fairly soon after those first portscans you saw. Or maybe your ISP is running a firewall for you? But if I was suddenly seeing less than a dozen attacks per day, frankly, I'd be pretty sure I wasnt seeing the real picture.

Re:Opaserv exploited one

[ceejayoz]

Yeah, the guy's obviously making it up.

And since it doesn't exist, there's no reason for MS to release a patch to fix the vulnerability, right?

Obviously, you're intelligent and checked Google before flaming away.

You missed the point.

[RatBastard]

They pointed out the real problems, like KLEZ. But that wasn't the point. The point was that out of the thousands and thousands of supposed security holes very few are ever exploited. They said nothing of the destructive power of the holes that were exploited.

Linux more likely to be exploitable

[billstewart]

As an old Unix hacker I've found it annoying that Windows is sometimes more secure than Linux, but it can happen.
My lab used to have an unprotected DSL with out-of-the-box RedHat 6.x and unprotected Win95 boxes on it that we used for testing things. As far as I could tell, nobody ever successfully hacked the Windows box, and when I was running ZoneAlarm, it'd detect a lot of doorknockers but no real attack - No surprise, because we had file-system sharing turned off, a relatively obscure freeware web server, no Napster/Kazaa/Gnutella/Morpheus/etc., and not much else useful on it except clients so not much to crack.

But the main Linux box got broken into all the time - I eventually changed its name to "Kenny" because it was getting brutally killed every week. As far as I could tell, nobody seriously bothered it once I upgraded to RH 7.1 in a medium-secure mode (I didn't install FTP servers, for instance, and Apache didn't have any web pages complex enough to be exploited), but by then I wasn't doing much complex, and I'd replaced the highly reliable Pentium-66 with an faster el-cheapo machine that often died on its own so it wasn't available to crackers.

The most common attacks I was aware of were some rootkit followed by installing Staecheldraht DDOS and some IRC bots. (And after I'd wiped out Staecheldraht a couple of times, the loser got annoyed and wiped out my disk drive once.) I noticed the initial attack because one of Kenny's P66 cousins was used to run a tcpdump sniffer to monitor the LAN and it kept doing ICMP to machines at universities. At least one of the rootkits "fixed" ls and ps to not report on its directories and processes, but forgot about some other utilities like /proc, and forgot about semantics problems like

umount: Can't unmount /home2 - in use
$ ps -ef
[nothing obvious shows up]