Slashdot Mirror
Worms Jack Up the Total Cost of Windows
rbrandis writes "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday. "This is part of the carrying cost of using Windows," said Mark Nicolett, research director at Gartner. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology." "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site."
I work at a computer science department, and I'm currently compiling a CD of patches that people have to install before they get on the internet. Right now, the number of patches is nearing 30.
Not anymore...
http://www.internetnews.com/article.php/3317211
(It's a link to the story about Microsoft including antivirus software in Windows XP Service Pack 2.)
Lately about 1/3 of my job consists of dealing with Windows vulnerabilities. And there are four other full-time staffers here with the same job description. We're not especially well paid, but that sure adds up. And when you add in the downtime of the people whose computers we're fixing...
http://alternatives.rzero.com/
Actually, Just install the latest service pack and then install Autopatcher. It has all the updates, hotfixes, and some cool extras all rolled into one scripted install so you can just start the install and walk away. I've used it and I can say that it makes life a million times easier.
There are versions for 9x all the way up to XP. You could fit everything onto one cd, and if you wanted you could even script that install. Thanks Autopatcher guys!
Quidquid latine dictum sit, altum viditur
I advise you to look at a decent Linux distribution instead of doing a build-it-yourself.
Any commercially supported Linux distribution will offer updates that can be installed by your mother just like she can use Windows Update.
For example, look at SuSE Linux, which has Yast Online Update.
I know it isn't perfect, and I shouldn't even have to pay for a server to keep our MS stuff up-to-date, but it has saved us tons of time and hasn't given us any problems yet. Maybe we are an exception.
I struggled for days and days and all I got was this lousy sig.
Yes, this is news. And it's good news. In case people missed it, this is from the Gartner group. This is the holy tome of PHBs. The way and the light. Gartner says jump, and the PHBs jump, you better believe it. And after years of saying the Windows is the way and the light, they're finally acknowledging that poor security costs money. It's recommendations like this, more than anything else, that will move companies from Windows to Linux.
There is no sig, there is only Zuul.
...or you just do it yourself via ssh.
...or you set up cron jobs to automatically update packages every night.
Douglas P. Price
LSASS is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server (in technical jargon : it generates the process that is responsible for authenticating users for the Winlogon service). There is also another worm that affects this service. If the full path to this program is not C:\WinNT\System32\LSASS.exe (Windows 2000) or C:\Windows\System32\LSASS.exe (Windows XP, 2003), then you have the W32.Nimos.Worm virus or some other virus.
No, actually German Post did not get the actual Sasser worm, but they panicked after Sämpo had one loose in their internal network, so they did like Sämpo. Block A LOT of traffic. Unfortunlately, in doing so, they also blocked their own banking system from communicating properly and became "collateral damage" because the sysadmins panicked.
worms/viruses are currently Windows-only problems.
Emphasis on the "currently." Has everybody forgotten the Sadmind worm, which spread among servers running Solaris OS and defaced web servers running Windows OS and Solaris OS?
TCO=Total Cost of Ownership
Includes price and rough estimates of other costs (support, downtime, etc.)
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Care to explain why? You are relying on the (completely false) assumption that windows gets hit more simply because it is more ubiquitous.
This whole argument is fundamentally disingenuous. The windows architecture itself is what causes these problems in the first place.
If you can enumerate exactly WHY linux (or any other unix) could possibly have these sorts of problems I'm all ears.
It's spelled (and promounced) Sampo. Learn vowel harmony, you insensitive clod!
Computers are useless. They can only give you answers.
-- Pablo Picasso
and many wonder why jobs are all going overseas. Lazy admins that don't do squat all day, they can't even install patches. Microsoft never cared about security, it seems system admins never did either. Everytime a new virus comes out they run around like beheaded chickens watching their house of cards fall down.
This isn't just a windows problem, it is an admin problem. There are tons and I mean tons of hacked unix boxes that script kiddies use for distributing warez etc because they are connected to huge bandwidth pipes.
did you forget to take your meds?
They did.
They got sued.
They don't anymore.
IIRC, it was MS-DOS 6 that included MSAV, their antivirus program -- as well as a couple other technologies that they stol^H^H^H^Hinnovated, such as the first go-round of their disk compression software (DiskSpace? DriveSpace? I can never remember which is which). It wasn't until about 6.22 that the offending technologies were stripped out.
However, with their recent invulnerability to litigation (by the Justice Department, even!), I 'spect they're prolly ballsy enough to try again.
I Know I Am Going To Be Modded Down For This
Upgrading IE is a complex process that upgrades most of your major libraries with it. The actual IE executable is quite small but is linked against several crucial libs, which are all available to (and used by) the most of the rest of userland.
All's true that is mistrusted
If OS X were the dominant OS, there would be zero worms wreaking this kind of havoc.
A default OS X installation has exactly zero ports listening for connections, and the root account is disabled. Even administrator-level accounts must authenticate before making any changes of significance to the system. These factors make it nearly impossible for a worm to spread on OS X machines like a Blaster, Sasser, or Slammer can on Windows machines.
Marketshare has nothing to do with the security of an OS. There are way more Apache-based web servers than IIS-based, but IIS gets pwned much more often than Apache.
At least according to Rob Enderle, who thinks
worms and viruses should not count as actual
security problems. Heck, I'm sure his crap
group will have no problem pretending the cost
of removing worms and viruses and the downtime
accordingly should not count to actual TCO.
And then again, if its a problem, I'm sure Bill
will send him some more money.
This argument is both old and bogus. MS Windows (any interation) is architecturally inferior to UNIX, Linux and NetWare. Why? Because MS began as a single user, single tasking OS, the others as multi user, multi tasking OSes, which are architecturally designed for security and process isolation: users can't interfere with other users, processes can't interfere with other processes, etc. So even if OSX, Linux or some other *nix was as dominant as MS, the exploits would be fewer and less damaging. Case in point Apache: most widely used http server, exploits can be counted on two hands with fingers left over, compared to MS IIS with so many exploits I've lost count.
In that case, I've got bad news for you. Microsoft wrote the BASIC that runs the 64. There's no escape! :(
You don't need root to run a mass mailing email worm. If you could convince a user to run a trojaned executable, regular user permissions will do just fine. It could even open a spam proxy backdoor without root. All you really need root for in network code is for raw sockets and to listen on low TCP ports (below 1024).
Some email worms exploited an autoexecute from the preview pane bug in IE, but most of them were social engineering exercises in convincing the user to run the attachment. I think it's easy enough to launch an attachment in say Kmail or Evolution. The only challenge is delivering an executable that'll run on enough Linux machines (perl? bash? static binary?). The only reason we don't have a mass mailing Linux worm is because noone's tried it yet . It's not THAT hard.
Your comment means nothing, considering that the *ONLY* machines on campus that were not affected were the handful of Apple, Linux, and HP UX machines. None of these (including Linux) require very much effort to maintain if you have competent admins. Sasser, on the other hand, was installing on machines that get patched *DAILY* by script, forcefully through automatic patching, and are even behind a firewall to the Internet. Somebody was likely to accidently have brought a machine from off-campus, plugged into the network, and started all of the PCs into a rebooting frenzy. We ALL wasted time fighting with this, even if we weren't part of IT support, and many people lost important work from the forced reboots while working on school work or other things.
Not to pick nits, but while the Commodore 64 never had viruses to worry about, its external 1541 disk drive was another story. Unlike PC drives, the 64's was a computer in its own right, with a CPU, memory, and an operating system. They also got hot enough to keep your coffee warm! The viruses were few, but available.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
When the vulnerability was announced, we saw it was going to be a bad one. What did we do? Well, we downloaded the update, tested it on a few machines (which had no problems) and a few days later clicked a check box on a SUS server that approved it for distribution to clients.
Over the next few days, just the one SUS server I monitor reported over 1200 clients successfully installed the update. Others reported similar results. By time time sasser showed up (or any of its slower-moving predecessors, some of which were poking around within a week), we'd patched thousands of systems with no user interaction at all. The only people who got hit were people running unmanaged machines... and many of them had ignored the little green globe which was telling them that their system needed to be updated. If they'd clicked on it, they would have been OK too.
Oh yeah, SUS is free, a piece of cake to install, and works great. It even locks down the server it runs on to resist attack. Anyone who runs more Windows machines than they can reach from their desk chair should be using it.
Gartner should stop with the "nyah nyah we said it was going to be a bad one... look how cool we are". Everyone else with a clue knew it was going to be a big problem too. They should instead point out ways for Windows shops to get out in front of the curve.
Am I the only one who's discovered that Automatic Updates are actually automatic?
No. You are one among many that apparently think Automtic Updates covers everything when it doesn't. The Automatic updates are not all-inclusive of the patches released to address vulnerability/security issues.
And KDE as something similar called kdesu (and there is the same for gnome) that open a dialog asking the root password, then run the program with root privileges.
That's how if you're running Mandrake that you can launch easily the Mandrake configuration tools.
wtf.n0x.org
SUS (Software Update Services, a LAN version of Microsoft's Windows Update site) has been out for, what, two years now? Any decent-sized network should consider it essential. I am running SUS on my LAN at work (about 50+ Windows 2000/XP workstations) and we haven't had any problems from these worms, simply because all my machines are patched within a day of the patches being released. Considering the patch for the Sasser worm has been out for over two weeks now, I think it should be considered dereliction of duty for Sysadmins to take so damn long installing the patches!!!!
Blame MS all you want, at the end of the day, if MS have released the patch and the sysadmins haven't installed it (for whatever reason), then its not MS's fault.
Still, I wouldn't mind breaking the fingers of the prick who wrote the worm in the first place.
Absolutely incredible.
EVERY linux/unix installation I have ever encountered forbids chowning ANYTHING if you are not root, even in your own user directory, unless the user itself has saved the file. Then usually whatever program will have the file with the users ownership tags and 0755.
That user can type chown whatever all day long and the Linux/Unix machie will complain and not lift a finger for you.
Unbelievable.
Dawn of the Dead
If it is above port 1024...yes. You can start an Apache process and bind it to port 8080 without being root.
Sure there could possibly be a kernel exploit, but there are so many different kernel versions. Sure you could write a worm like blaster that exploits a vulnerablity that's already been patched, but there are so many machines that are already patched... But when you install a Linux/BSD system.. what ports are open? What services are running? Exactly. You don't know. As the number of users increases, the knowledge of each user decreases... therefore, the more people will run as root (or an account with close enough privs) to make the closed/open ports or running services point moot. Come on. Tell me what AV Software is your linux box running? None right? Kinda like the way it was back when we were running Windows 3.1 right? Linux is inherently more secure, but that doesn't make in invulnerable.
In KMail (and I'd hope in Evolution as well) attachments are never executable, only openable at best. To execute a program/script you still need to save the attachment to your local harddrive and explicitely make it executable. So starting applications right from inside KMail is not "easy", it's completely unsupported and impossible. (Btw. KMail neither executes JavaScript, loads any web plugins nor downloads any stuff embedded in HTML pages. Security by design.)