Stop Christmas-Gift PCs From Feeding Worms

An Anonymous Reader writes "If you recently set up a new PC with Windows XP, or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches. Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.) Update: 12/24 17:59 GMT by T : Thanks for reader Bill Curnow for the updated link. Update: 12/24 19:15 GMT by T : Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.

"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."

But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)

Chicken and the egg

[Space+cowboy]

It's a classic catch-22 when you need to download the patches, but the act of downloading them makes you vulnerable ... I have just bought my parents a new PC (with XP, they're not up to Linux just yet ...) and I never thought twice about doing the windows-update thing... OTOH, they are behind a decent firewall (that does run Linux :-) so the risk is pretty minimal.

Perhaps all these DSL/WiFi combo boxes will be a blessing in disguise because they all come with a firewall (on by default, with Cisco's Linksys ones :-)

Simon

I feel for the home user...

[aml666]

My systems are behind a Hardware Proxy and a software firewall. I feel safe and have not been compromised... yet.

Those poor home users who are not technically savvy are pretty screwed. They won't be able to figure out *nix and don't want to pay the bucks for Apple.

Microsoft should offer (no not MSN) a method for new Windows machines to dial direct for patches before connecting to the Internet.

This method should be over ridable for the safer crowd.

Re:The long-life of the Blaster worm is the ISPs f

[pigscanfly.ca]

Your ISP shouldnt have to filter out random ports because someone somewhere wrote some crap software which is now easily explotaible over those ports .
The fault is all the users who didnt patch there systems .
I dont know about you but when my ISP starts port filtering I get pissed off , that my decision to make not theres (stupid monkies blocked of port 20 through 25 . I had to run ssh on a different port!)

The Best Christmas Present

[teamhasnoi]

You can give someone is a Mac. Mom got one a while ago, and I have made two troubleshooting calls. One was due to my Dyn-dns client I had installed to reach the box ( the mac hadn't been on for a bout a month), and the other was when I got an email saying, "I can't send email". Classic.

Compare that to a godawful dialup VNC session on a home shopping network XP box where I needed to fix blaster and the person didn't know how to get to system settings.

I sold a mac that day with "Guess what, buy a mac and you will never have to deal with this again."

(and I won't either, to myself) That's why it is the best Christmas present you can give yourself, if you are the designated "computer-guy". Not having to deal with other people's XP is worth its weight in Half-Life Gold, Al Franken, and Myth II: Soulblighter.

Linux for Roblimo's Stepdaughters?

[Lord+Kano]

I understand wanting to advocate alternatives at all times, but come on now Rob.

There is no way in HELL that I'd consider giving a linux machine to a friend or relative who is light on technical ability.

I am already on call to fix the computers of my friends and family, my girlfriend, my girlfriend's best friend, my girlfriend's sister, and my girfriend's sister's girlfriend.

I'd easily double the amount of free support that I've have to give if I gave someone a linux machine. Even if most of the calls ended up being "No, I can't help you install 'Barbie goes to the beach' because the version that you have is for Windows", that is still crap that I don't want to deal with.

I'd rather burn a disk with Ad Aware and Spybot Search & Destroy and give it to people than to have to educate people on a system that they know nothing about.

So many people these days don't know a thing about DOS, so how can you expect them to take the time to learn bash? More times than I would like to remember, I had to use the console to fix a problem on one of my linux machines that just couldn't be done through X. Sometimes the problem was that I couldn't launch X.

Windows is the devil that most people know. As awful as the security is, as awful as Microsoft's business practices are, Windows is the top dog and most mundanes don't care about anything but being able to check the weather, get email, bring up a few web pages, and play some games. For most people, that is easier to do with Windows.

LK