Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estimating the Time-To-Own of an Unpatched Windows PC

Posted by kdawson on from the 5-minutes-16-hours-whatever dept.

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

6 of 424 comments (clear)

  1. How is this measured by Lord+Lode · · Score: 5, Insightful

    I've heard similar statistics in the past already. How is this statistic measured? Is it the time after you connected your ethernet cable or modem and doing nothing at all but wait, or is it the time after you opened a browser and let an "average" user surf the internet and open things? Is it a problem if you need 4 minutes to install all windows patches and updates?

    1. Re:How is this measured by JimboFBX · · Score: 5, Insightful

      The fact your firewall was disabled shows you already did some interaction.

  2. Re:... and if you leave your car key in the igniti by Opportunist · · Score: 4, Insightful

    I actually forgot my car keys in my car overnight once and nothing happened. Well, this isn't LA downtown. I live in one of the cities with the least crime overall.

    The problem is, with the internet space means nothing. You essentially automatically live in all the worst cities at once, they're all right in front of your doorstep.

    That's what most people forget when they deal with the internet, especially if they live in a sheltered community where it's safe to walk the streets at night. They're not used to pondering being mugged any second. But that's exactly what happens on the internet, you live in the worst kind of neighborhood, anyone out there who wants to do something bad to you is camping right in front of your door.

    Don't feel special, though. They camp in front of every else's door at the same time.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Re:Um, what version? by Computershack · · Score: 5, Insightful

    Which is exactly my point. We know those machines get pwned quickly, so why is this news?

    Because it's about Windows and in the current trend, you don't have to bother on /. with little annoyances like facts and the truth if it's to do with Microsoft - any old shite will do if it is trying to make Microsoft look bad.

    Yet you'll notice that the /. crowd isn't bleating on about the 33 year old Unix bug that's only just been fixed this week.

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  4. Re:Honeynet by neokushan · · Score: 4, Insightful

    Exactly. Saying an unpatched OS is vulnerable to attack is like saying an unlocked Car is liable to be stolen.
    I'm not even sure what it is they're trying to prove - that Microsoft can't bend time and space and retroactively patch ALL XP disks every time they release an update?

    This actually got me thinking, even Linux has it's vulnerabilities from time to time, but I could argue it's MORE vulnerable because of all those Ubuntu Live CD's people have lying around. I've known a few people that have resorted to one of these Live CD's in times of dire need (i.e. when windows has decided to break) and one guy even used one for a few months because his HDD died on him - but how do you patch THOSE?
    Luckily, Linux is pretty good at not getting owned so it's a bit of a non-issue at the moment, but I dare say it's only a matter of time before someone starts targeting them as well.

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  5. Re:How about a VM on NAT in a firewalled host mach by Creepy+Crawler · · Score: 4, Insightful

    Not true at all. It's a common misconception that NAT protects anything at all. Why so?

    NAT uses translation routing based upon multiple inside computers to one outside address. The key here is the NAT device does NOT reconstruct packets if they are heavily fragmented. Even upper end Ciscos and Junipers are vulnerable to fragment based attacks.

    The key is you construct a IP-IP tunnel to target victim, try to guess the internal IP addressing scheme, and then use a program called Fragrouter to properly "make mal-fragmented packets". Once you do this, it will hop over damn near every router.

    I think there's a setting in IPF that forces reconstruction before passing packets. That's the only defense, along with a proactive filtering in both directions.

    --