Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estimating the Time-To-Own of an Unpatched Windows PC

Posted by kdawson on from the 5-minutes-16-hours-whatever dept.

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

2 of 424 comments (clear)

  1. Improved odds in XP/2003 SP2 and Vista/2008 by FuegoFuerte · · Score: 5, Interesting

    At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.

    When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.

    In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").

  2. Re:How is this measured by Gumbercules!! · · Score: 5, Interesting

    I recall working at a university, in which every PC had a public IP address. I clearly remember a Windows 2000 server being pwned during installation. As in before the install process even finished.

    That was the last time I installed with the CAT/5 still plugged in (and yes, it was my first job)....