Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estimating the Time-To-Own of an Unpatched Windows PC

Posted by kdawson on from the 5-minutes-16-hours-whatever dept.

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

11 of 424 comments (clear)

  1. Offline updates by Fallen+Andy · · Score: 5, Informative
    For XP/Office/Vista, you owe it to yourself to use the Heise offline updates.

    Back in '04 the time to live was (claimed to be) around 20 minutes. I wonder what the time is for an unpatched Vista (the figures in the article are for XP). Heh - I bet '98SE survives forever (nobody would want to exploit that).

    Andy

  2. Re:Doesn't make sense by thona · · Score: 4, Informative

    That makes a lot of sense - because that is exactly what happens. Tons of bots around trying to get into "known and patched for years" exploits. They jsut scan IP Address ranges for computer to come online. So, really - no browsing required. No user action required. They happily come to you. This is why a simple firewall like the one you have now on Windows (allow only outgoing connections by default) or simple NAT ALREADY raises quite a bar in security - there ARE, HAVE BEEN and WILL BE exploits that do not require any user interaction.

  3. Re:Doesn't make sense by kitgerrits · · Score: 4, Informative

    No, this type of infection is sent to random computers all over the Internet.
    If one computer on the same IP range as you if infected, it will try to infect all computers on the same IP range and continue to try until someone either turns off the PC or formats the harddrive.

    Try installing a firewall, connecting a computer directly to the Internet (don't -do- anything, just connect it) and then Wireshark to look at your Network Interface.
    You'll be surprised at the stuff you get without asking.

    --
    "I was in love with a beautiful blonde once, dear. She drove me to drink. It's the one thing I am indebted to her for."
  4. Re:How is this measured by Spad · · Score: 4, Informative

    I know that last time I put a new install of XP SP2 straight onto the internet without firewall or antivirus (A tiny oversight - plugged in the wrong cable) it was owned in under 5 minutes without any interaction on my part.

  5. Re:Doesn't make sense by sowth · · Score: 4, Informative

    I'm going to jump in, because I don't think anyone explained this.

    Windows runs lots of services (server programs) by default, some of which have vulnerabilities. Some of which can't be turned off, because of the way MS programmed them. If you wonder why they are there, this is how things like filesharing works: it has a server program which will reply when someone else on the lan broadcasts asking for other shares. If someone creates specially formed packets, they can break into those vulnerable services, and you are rooted.

    There could also be vulnerablilities in the kernel (main system), but they are rare. You could also be infected if you opened up a shared folder, and someone / a program uploads a hostile program to it, and you run that program.

    This is in addition to getting infected by visiting a hostile site with an insecure browser.

    I may not have explained this very well, but hopefully you get the idea.

  6. Re:Time-to-0wn with dumb NAT firewall by totally+bogus+dude · · Score: 4, Informative

    You should be perfectly safe, as a dumb NAT firewall won't be sending your PC any traffic that it didn't originate. The only possible vectors would be: a) if its connection tracking code gets confused and lets in traffic which it thinks is associated with another connection but really isn't, b) bugs in the NAT firewall device (pretty much the same thing), or c) an attacker gets very lucky with spoofing connections that happen to be in the NAT table (tremendously unlikely).

    All up, the chances of anything getting through are pretty much negligible.

    The caveat is that stuff on your PC may be making connections without your knowing; and in particular, some programs may use UPnP to open a listening port for incoming traffic. This shouldn't be an issue with an out-of-the-box install.

    This is of course assuming the common NAT device setup, where you have your modem/router which gets a public IP address and then NATs all outbound traffic. Inbound traffic will hit the router and not go any further unless the user has explicitly set up forwarding rules on it.

    Pretty much everyone with broadband in Australia will be behind such a device, as this is the kind of device most every ISP recommends or sells. Not sure what the norm is elsewhere in the world.

  7. Re:How is this measured by Mistlefoot · · Score: 5, Informative

    Absolutely. SP2 firewall is enabled by default.

    And from the article "This older guide was written based on Windows XP pre SP2. One of its main feature
    was step by step instructions on how to enable the Windows XP firewall."

    XP SP2 was released in August of 2004. Why are we talking about 4 year old software? Heck, Firefox 1.0 hadn't even been released yet. And Ubuntu's first release was in October 2004.

    Why is an OS older than Ubuntu or Firefox being tested? And I mean 4 years older then Ubuntu - even with SP2 it would still be older then Ubuntu or Firefox.

  8. Re:How is this measured by CastrTroy · · Score: 5, Informative

    Because the last OS put out previous to Vista was Windows XP. That's why we are talking about such old software. It's only 1 version behind current. The biggest problem, is that there's a lot of people who have XP discs with no service pack incorporated. When you reinstall from these discs, and try to connect to the internet to download SP2, your computer is owned before you can even download the service pack. That's a major problem.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  9. Funny thing is that Zone Alarm has had vulns by George_Ou · · Score: 5, Informative

    Funny thing is that Zone Alarm has had some serious remote exploit vulnerabilities where if you hadn't installed a 3rd party FW in to your Windows XP computer, you'd be safe. Here's an example of one http://secunia.com/advisories/10921/. Windows XP, Vista, Server 2003 and 2008 Firewall has been rock solid and secure. You're simply talking out of your ass and you're giving the typical knee jerk reaction against Microsoft products. You do not have a single example of where Windows XP SP2 firewall is vulnerable to a remote exploit and there isn't a single example of hackers getting through it if all ports are closed.

    1. Re:Funny thing is that Zone Alarm has had vulns by KGIII · · Score: 5, Informative

      To add to this I have helped write both the Outpost Personal Firewall and Kaspersky's Anti-Virus application. As the NDA is up I can admit to the latter. Simply put, you're full of shit. (Not the parent but the grandparent. George is right on.) The reality is that if one doesn't try to pretend they are smarter than the system than the Windows firewall works really well at INBOUND protection. Let me state this another way... If you have a clean system AND don't go screwing with the system's settings the Windows firewall will do just fine at getting you online safely. If your OS installation media predates this than you should really look at slipstreaming or a newer OS. Windows firewall sucks at outbound protection, a lot... As for inbound? It is fine and I will happily toss an image and an IP address up to those who disagree [no carrier] (Just kidding of course, it really DOES do the job of inbound protection. Safe hex and JUST the Windows firewall behind a NAT enabled router has served me well for a long time though outside of that I simply use Outpost.)

      --
      "So long and thanks for all the fish."
  10. Re:How is this measured by Gumbercules!! · · Score: 5, Informative

    I know it was pwned because during the installation I got an angry phone call from the Cisco Comms boys, who wanted to know why one of our servers was suddenly flooding the network with traffic matching the signature of the Code Red worm.

    Once the installation finished (now with the cable unplugged), sure enough, the box was infected with Code Red. No doubt because IIS installs by default (set to on) and my leaving the cable in allowed it to get infected.

    I was then embarrassingly the reason for a new policy stating all installations must be done with the network cable unplugged.