WindowsUpdate.com Secured, Permanently

Precisely nineteen months ago, Bill Gates sent out a memo to employees (and the press) announcing that security was Microsoft's number-one priority. Today, about a hundred readers have submitted the news that Microsoft.com went down last night. And now, the company has "extinguished" WindowsUpdate.com (future updates will come from a different domain). All this because of some Microsoft worm that triggers at midnight. Related news: Windows Update says you're protected, but maybe you're not; WU.com briefly ran Linux, heh; worm variant with clever "anatomical term."

Next Week..

[msblaster.exe]

Don't worry next week there will be another memo with the URL for the new update

Re:Next Week..

[Ledskof]

secured permanently? So they unplugged it from the network to finally get that C2 security level eh?

Re:Next Week..

[cravey]

I wonder why they didn't just point DNS for the website to 127.0.0.1.

Let the infected servers work it out amongst themselves. :)

Re:Next Week..

[AngryRodent]

Windows update is already massively load balanced across multiple server farms. They use both a DNS based load balancer (F5 3DNS) and local area load balancers (F5 BIGIP). The server farms are in a number of locations. Early, and not so early in the implementation of this, a number of people were concerned that Microsoft was attacking them because the 3-DNS's would create probes from each datacenter to the end-users system. I'm not sure if that is still being used. I have no knowledge of how they Akamized so quickly since I haven't been involved with this project in years. However, it should be pointed out that the BIG-IP's make Akamizing content a very simple matter. I'm not shilling for F5- I no longer own any of the stock, haven't been an employee for years, and I'm now just a reasonably-satisfied customer.

NetCraft stats

[xrayspx]

Take NetCraft stats with a Big Grain of Salt (big grains of salt, heh). If a site is "Akamized", as this one was, or is otherwise distributed, you'll see the OS of the front end, not what the site actually runs. You'll note that NetCraft lists "linux" for the Akamai site.

windowsupdate.microsoft.com

[anotherone]

Not a huge deal, since the official URL is windowsupdate.microsoft.com . The start menu, Tools in IE, and Windows Help all have that address. The worm author was kinda stupid, he should have pointed it to microsoft.com or windowsupdate.microsoft.com.

Permanently Secured == Permanently Offline?

[Matrix272]

So "Permanently Secured" now basically means "Permanently Offline"? Why didn't they just let the worm eat the domain? What's the difference, really? Whether they pull the plug, or the worm does it for them, it still means windowsupdate.com won't work...

Here's the deal on Linux for windowsupdate.com

[djh101010]

They've given the windowsupdate.com site to Akamai to serve for them. Not a bad idea, actually, since Akamai has something like 15,000 webservers distributed around the world, to share the load.

Of course, it's extremely amusing that they're paying to have their content served by a flock of 15,000 penguins. I'm a bit concerned for our own site this weekend, as we use akamai for our static content. It'll be interesting to see how my pageloadtimes are affected (if they are).

Akamai is a great resource for dealing with huge spikes in webserver load - I guess you could say this qualifies as that.

not quite

[joe_bruin]

OS: Linux
Server: Microsoft-IIS/6.0
Last changed: 15-Aug-2003
IP address: 213.161.82.33
Netblock Owner: Akamai

they did not switch their servers to linux, they used akamai's caching services to handle their massive bandwidth requirements. notice the server is still iis. this is an akamai box (linux) serving a cached copy of microsoft.com (windows/iis)

$ host www.microsoft.com
www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
www.microsoft.co m.edgesuite.net is an alias for a562.cd.akamai.net.
a562.cd.akamai.net has address 63.236.1.163
a562.cd.akamai.net has address 63.236.1.160
a562.cd.akamai.net has address 63.236.1.153
a562.cd.akamai.net has address 63.236.1.139
a562.cd.akamai.net has address 63.236.1.168
a562.cd.akamai.net has address 63.236.1.147
a562.cd.akamai.net has address 63.236.1.138

Re:Gates Memo repost - slowing...

[otisaardvark]

Today, in the developed world, we do not worry about electricity and water services being available.

You have to give it to the guy; his timing is impeccable...

Re:What did they do?

[Tirel]

here it is:
Date: Fri, 15 Aug 2003 08:33:57 +0200
From: Carsten.Truckenbrodt@Bertelsmann.de
Subject: AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
To: full-disclosure@lists.netsys.com
Cc: security@microsoft.com

Hi,

This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
the following will happen: The worm uses spoofed IPs from the local /16
subnet as source address. Pointing all the syn packets to 127.0.0.1 will
generate a RST packet from the local host to the spoofed IPs and spread
traffic over the complete internal network.
Even blocking or routing the normally resolved IP to Null0 will be a lot
work because this domain is loadbalanced through the world. That means you
get a different resolution depending on your ISP or place in the world.

If you manipulate your DNS, you should give no A-Record back to the worm.
With this the worm will not start attacking anything. So setting up a
nameserver zone with only a SOA record will do the job for Saturday 0:00.

Best Regards,

Carsten Truckenbrodt
Arvato systems Taco Network SnotIing Security

-----Ursprungliche Nachricht-----
Von: Tobias Oetiker [mailto:oetiker@ee.ethz.ch]
Gesendet: Freitag, 15. August 2003 00:15
An: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1

Folks,

How about MS standing up for the mess, and changing their own DNS to point
all request for windowsupdate.com and whatnot to 127.0.01 ?

This will null the effect of the syn flood very effectively. Only proxies
will be affected.

As far as I see it, they will not be able to use these names productively
for the foreseeable future anyways ...

So they will have to issue an update for windows-updater thourgh other
channels (like their homepage for example) to point it to a different
web-site .. that should not be all that much of a problem.

If MS does NOT make this change to their DNS, I can see many routers who are
trying to track connections toppling over in interesting ways.

Because the local techs have no clue, it will
take the affected companies ages to get back on the net.

tobi

Re:A moving target is still a target

[ebh]

Um, not to be a Microsoft apologist or anything, but at least in the case of MSBlast, they DID fix the problem.

This is not like those stupid email trojans that are inexcusable because Microsoft intentionally opened the door (with scriptable email, etc.). This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.

Sidechannel attacks

[babbage]

Of course, this leaves them open to alternative attacks.

For example, if someone hijacks or otherwise poisons some DNS servers, then all the traffic to windowsupdate.com will make it through to windowsupdate.microsoft.com anyway.

Or, a future worm could be written to target & attack a variety of Microsoft servers.

Or a future fowm could be written in such a way that the target is not part of the worm's code, but rather can be directed remotely somehow. This way, even if Microsoft tries to switch addresses, the person[s] directing the attack can just change the target.

The real solution isn't to keep trying to dodge the bullet.
The solution to become bulletproof.

Even after all this time, Microsoft still doesn't seem to get that.

Part of the reason Microsoft is such a prominent target is of course because it is so, well, prominent. Taking down (say) an FSF server doesn't raise nearly as many headlines (as this week's headlines will attest to). But I don't think that all of the problem here can be traced to how widespread Windows is -- while the Internet's clients are nearly all running Windows, a large fraction of the server architecture is running some Unix variant, and while there is of course some malware that targets *nix (Linux, Solaris, MacOSX, BSD, etc), the results never seem to be as catastrophic as the typical Windows outbreak

To rip of Bruce Schneier's analogy from his security article in Atlantic Monthly a year ago, it seems to me that the what security mechanisms Windows has tend to be brittle, while those that the *nix etc world have tend to be pliable. That is to say, when a problem comes up with (say) Apache, the damage tends to be isolated. This is partly because each installation will be configured differently, with different features enabled or disabled, and partly because the server runs on a variety of systems, each of which may have different mechanisms for providing underlying security protections. On the other hand, IIS installations tend to be pretty homogeneous, and a flaw with one very well could be a flaw with all.

That's not to say that IIS couldn't be just as secure as Apache, if not much more so. But part of Apache (etc)'s strength is it's heterogeneous nature -- people are able to tinker, adapt, mix & match components to suit their needs, and in the process this will also tend to protect them from catastrophic failure. Microsoft has actively resisted this kind of diversity -- witness their howls about having to come up with "thousands of versions of Windows" if some of the firmer antitrust penalties were put into force. Those thousands of permutations are, arguably, exactly what is needed: this will give their users greater choice, and it will make emergencies like this more rare.

I don't get why they're so opposed to the idea.

Maybe they've got cleverer plans than anything I can think of. I certainly wouldn't claim to be any kind of security expert. But if the best they can come up with is a change of address card, I can't help but wonder if they're fumbling in the dark here...

Scary Vulnerability

[rgmoore]

This strikes me as being a really bad thing:

Windows Update works by adding an entry into the system registry every time it installs a patch. When users log on to the update tool, it scans their registry and offers them list of patches that have not yet been installed. Cooper said that this mechanism was found to be flawed.

"We found that people had got the registry key for the patch, but not the file," he said, explaining that the error could be triggered by a number of reasons -- from an incomplete installation to a lack of system resources.

They're missing a really big flaw, here, which is that this is horribly vulnerable to malicious behavior. There are already plenty of viruses and worms out there that make registry entries for one purpose or another. It seems to me that if you were exploiting a vulnerability for which a patch already existed it would be very easy to automatically modify the registry to make it appear that the patch had already been applied. This would make tracking which systems were vulnerable much, much more difficult. This would work particularly well if you were trying to make a stealth worm.

Re:I think the windows update botton on the taskba

[Pharmboy]

I installed and ran the Microsoft BSA utility that scans your computer for updates (windowsupdate looks in registry only) per the link above. It found 4 problems that WindowsUpdate can't find, so I followed the links, to read about them.

Problem is, when you click on the link to DOWNLOAD the actual patch for XP, it just redirects you to www.microsoft.com, so even their security tool is useless if you cant get to the files to manually install them. Fucking rediculous.

Re:Not really...

[terrymr]

I think given Microsoft's position on Linux that they shoud / would have researched the market to see if the service could be provided by a windows shop before signing a deal with akamai. It looks bad ... almost like saying windows isn't up to the task.

Microsoft != reliable

[Thud457]

"Actually, there are rumors that safety systems that would have prevented such widespread failure were running on Windows and were down because of blaster. "

If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?

Who the fuck runs mission-critical systems on Windows?!! HOMER SIMPSON?!!!

Re:What did they do?

[golgotha007]

why would i want to help allievate the situation? hell, i get to have all my computers attack microsoft for free! and legally! wohoo! sick 'em!

Disk Operating System

[Tired_Blood]

While Windows was getting all the attention from their common creator Microsoft, DOS has secretly been waiting for its opportunity to strike at both.

From the infoworld article:
The company is cooperating with federal law enforcement officials to investigate the attack, which is the second successful DOS attack against Microsoft.com this month.

Two successful DOS attacks this month. And what a sense of irony: revolt against the creator by manipulating "the favorite" to do its bidding.

What's so hard about using a lower-case 'o'?

No third party distribution of patches

Notably, Microsoft refused to give permission to ISPs to burn CD's or make floppies with the Blaster patch on them. I heard of one outfit that had their lawyer contact MSFT to make sure that they were kosher before giving them to customers. Microsoft refused. As it turns out, stating that the users could easily download the patches directly, even if they had the shutdown bug and were dialing in to download a 1.2 MB patch.

I have no sympathy for MSFT getting DOS-ed. The fuckers deserve it, and they were hoist by their own petard. Sure, there is some nitwit out there that acted on as explout that was known for at least a month, but WTF? What is the problem with letting ISPs distribute the patch to fix this thing?

The ISPs are burning time and support lines over it, bandwidth is getting hosed by the packets on the affected ports, filtering ports helps (but doesn't eliminate the problem). Essentially, third-party companies (ISPs) asked for permission to help put out this fire, and Microsoft gave them a big "fuck you" and I am somewhat gratified by the whole thing.

Fuck you, Microsoft. Here's hoping you get more of the same.

I might post the emails discussing the attempt to get authority to help spread the patches somewhere, but I'm not anxious to cause a slashdotting of my own weenie ISP's servers.

Microsoft hosed their own update service!

[KE1LR]

Microsoft has a free tool called " SUS " which is a localized version of Windows Update - you run it on a W2K server in your enterprise and then redirect your clients to get their automagic updates from the local server instead of going to MS directly.

The SUS server is supposed to synchronize itself (manually or automatically) with Microsoft's servers to get the latest updates, and you get a chance to approve them for distribution to clients. Not a bad idea, and it seems to work OK.

However, the URL that's coded into SUS to synchronize with updates is -- wait for it -- a windowsupdate.com URL!

Error Message:
"Failed to download from URL 'http://www.msus.windowsupdate.com/msus/v1/aucatal og1.cab'. (Error 0x80072EFD: Unable to connect to the server.)"

Anyone using SUS to update their client machines is now stuck with their current update set until Microsoft sets up a new site to sync with and documents how to change the URL that SUS uses to whatever one they come up with.

Lame.

Re:Power outage related to Microsoft

[Cyclometh]

No need- end our little war in Iraq and we'll free up the funds needed. I read yesterday that the cost of the war in and occupation of Iraq will cost over $600 billion dollars.

Just close up the operation a little early and divert those funds.

Nah, never happen. Preemptive wars and years-long occupations of nations that are of dubious (at best) threat to US interests are more important than making sure your lights stay on.

Re:Power outage related to Microsoft

[Wingnut64]

"Is there any way this 'DoS' can be stopped?"
"Impossibly, there's too many compromised machines. You'd need to turn off every computer on the East Coast..."

Prepare to pay thru the colon

[Archfeld]

Here in CA you have to fund the switch which allows you to feed from your supply to the lines, even if you don't EVER want to feed back, PG&E got some help in the legislation, this run s around 10K minimal. The CA government in its infinite wisdom also institutied a Farking tax on power feedback, in order to offset the cost of people leaving the system while it is so deep in financial trouble, so now even if you DON'T USE the power grid, you are required to pay a tax on the approx. amount you would use....Our rural neighborhood association just went through the governmental hoops to get this working...what a friggin nightmare.... Unless you have several hundred potential users, there is no way this is financially feasible thanks to our friends in government, always out to protect corporate interests at the expense of taxpayers freedom and choice.....

Uhhhh, No

[DesScorp]

"why would i want to help allievate the situation? hell, i get to have all my computers attack microsoft for free! and legally! wohoo! sick 'em!"

I know (think) you're joking, but while we can moan all we want about how Microsoft should design software that's more secure, we can't do anything about existing systems. And windowsupdate was the fastest, easiest way for the non-tech public to protect and repair themselves. Those of you out there that view this impending attack and the shutting down of windowsupdate as a good thing are very shortsighted.

Maybe you don't give a shit about all of those other users out there that use Windows. Maybe you're happy this is happening. Fine. But rest assured, it's not going to cause people to rebel against Microsoft, like many of you are hoping. There will be no enlightenment and mass exodus to Linux or BSD or OSX. This is going to get blaimed on "hackers". And we all know hackers hate God, hate America, root for Saddam, get pentagram tattoos on their foreheads....and use Linux. Pretty soon it'll be "yeah, I saw those Linux guys bragging on slashdot.org that they took windowsupdate down!"

IBM's reps will be going "yeah, thanks heaps for the positive image, slashdotters.........fuckers".

Make fun of people that run Windows all you want, but don't assist in, or support the disabling of one of their few effective means of defense.

Everybody is missing the point

[grozzie2]

I think everybody is missing the point on this whole issue. Fact :- Blaster is a worm, who's payload was intended to dos windowsupdate.com, rendering it unavailable to the folks using it. Fact :- windowsupdate.com is 100% unavailable. Conclusion :- Blaster is the most successful virus/trojan to date. It didn't just cause a few hours of unavailability, it wiped the domain from existence. Not just any domain, but a prominent microsoft domain (high profile, big budget website) totally obliterated off the internet. Folks can say what they want, and argue about the politics of it all, bicker about who is responsible to update what, and whatever, but you cannot deny the facts. Blaster is head and shoulders above the crowd as a denial of service worm, the first to achieve a 100% success even prior to actually triggering. Say what you want folks, but this has got to go down in history as the most successful worm ever.