Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estimating the Time-To-Own of an Unpatched Windows PC

Posted by kdawson on from the 5-minutes-16-hours-whatever dept.

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

7 of 424 comments (clear)

  1. Improved odds in XP/2003 SP2 and Vista/2008 by FuegoFuerte · · Score: 5, Interesting

    At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.

    When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.

    In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").

  2. ha! by thatskinnyguy · · Score: 3, Interesting

    4 minutes eh? I've seen XP installs (Pre-SP1) get owned during the install process!

    --
    The game.
  3. Re:How is this measured by Gumbercules!! · · Score: 5, Interesting

    I recall working at a university, in which every PC had a public IP address. I clearly remember a Windows 2000 server being pwned during installation. As in before the install process even finished.

    That was the last time I installed with the CAT/5 still plugged in (and yes, it was my first job)....

  4. Re:another nonsense MS bashing piece by Opportunist · · Score: 3, Interesting

    Considering that the average Linux distro from 5 (or rather, if you want to make a real comparison since they're obviously using XP SP1 to "prove" their point, 7 years) already came with an iptables/ipchains firewally built in and rather few, if any, remotely accessable services running if you don't want them to run (they ask you if you want to have SSH running and yes, should you enable a 7 year old version of SSH then you're vulnerable), I'd think XP would still lose.

    The problem is that even if you KNOW that the RPC is a deadly remote exploit vector in XP, you CANNOT turn it off during install. With Linux, at least I have the option to avoid enabling SSH or other services that I know are no longer safe.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Re:How is this measured by Stellian · · Score: 3, Interesting

    Oh please. This is why I love Slashdot. I'm as big of a MS hater as the next guy, but those who ignore MS's progress from the Blaster days are just spewing FUD. A default Windows SP2 installation, with non-executable buffers (DEP) left enabled for Core windows services, running on supporting hardware will not get owned by just sitting on an infected network. I challenge any Slashdoter who thinks otherwise to prove it. Of course, when people start browsing porn sites with the default browser things get tricky, but that's no longer a remote, automated attack.
    TFA counts *ALL* forms of attack. Even scans for obscure webserver or game vulnerabilities, Blaster type scans and ssh brute force attempts. I fail to see how these "attacks" can have any impact on a computer running a fresh install of a recent version of Windows like XP SP2, SP3 or Vista.
    You can argue about security track-record all you like, and talk about why Windows is not secure by design, and how it should not be used for life support systems and ATMs, and I would agree. But this is getting ridiculous.

  6. Ever tried that with Red Hat 7.3 by Britz · · Score: 3, Interesting

    There are still hosting companies that offer virtual machines and even complete servers with Red Hat 7.3
    So I would be interested in the time it takes for that one to be infected.

    Do they even give patches for that any more?

    I am not trying to say Linux or Windows is safer. I am just trying to say it might not be wise to put an unpatched machine on the net without a firewall to download patches. Regardless of the os.

  7. Re:Funny thing is that Zone Alarm has had vulns by buswolley · · Score: 3, Interesting

    I'm not quite a newb or anything. But, how do you know if you've been owned? Standard anti-virus checks? Something more difficult to detect?

    --

    A Good Troll is better than a Bad Human.