Slashdot Mirror

← Back to Stories (view on slashdot.org)

Estimating the Time-To-Own of an Unpatched Windows PC

Posted by kdawson on from the 5-minutes-16-hours-whatever dept.

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

15 of 424 comments (clear)

  1. How is this measured by Lord+Lode · · Score: 5, Insightful

    I've heard similar statistics in the past already. How is this statistic measured? Is it the time after you connected your ethernet cable or modem and doing nothing at all but wait, or is it the time after you opened a browser and let an "average" user surf the internet and open things? Is it a problem if you need 4 minutes to install all windows patches and updates?

    1. Re:How is this measured by JimboFBX · · Score: 5, Insightful

      The fact your firewall was disabled shows you already did some interaction.

    2. Re:How is this measured by Gumbercules!! · · Score: 5, Interesting

      I recall working at a university, in which every PC had a public IP address. I clearly remember a Windows 2000 server being pwned during installation. As in before the install process even finished.

      That was the last time I installed with the CAT/5 still plugged in (and yes, it was my first job)....

    3. Re:How is this measured by Mistlefoot · · Score: 5, Informative

      Absolutely. SP2 firewall is enabled by default.

      And from the article "This older guide was written based on Windows XP pre SP2. One of its main feature
      was step by step instructions on how to enable the Windows XP firewall."

      XP SP2 was released in August of 2004. Why are we talking about 4 year old software? Heck, Firefox 1.0 hadn't even been released yet. And Ubuntu's first release was in October 2004.

      Why is an OS older than Ubuntu or Firefox being tested? And I mean 4 years older then Ubuntu - even with SP2 it would still be older then Ubuntu or Firefox.

    4. Re:How is this measured by CastrTroy · · Score: 5, Informative

      Because the last OS put out previous to Vista was Windows XP. That's why we are talking about such old software. It's only 1 version behind current. The biggest problem, is that there's a lot of people who have XP discs with no service pack incorporated. When you reinstall from these discs, and try to connect to the internet to download SP2, your computer is owned before you can even download the service pack. That's a major problem.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    5. Re:How is this measured by Gumbercules!! · · Score: 5, Informative

      I know it was pwned because during the installation I got an angry phone call from the Cisco Comms boys, who wanted to know why one of our servers was suddenly flooding the network with traffic matching the signature of the Code Red worm.

      Once the installation finished (now with the cable unplugged), sure enough, the box was infected with Code Red. No doubt because IIS installs by default (set to on) and my leaving the cable in allowed it to get infected.

      I was then embarrassingly the reason for a new policy stating all installations must be done with the network cable unplugged.

  2. Offline updates by Fallen+Andy · · Score: 5, Informative
    For XP/Office/Vista, you owe it to yourself to use the Heise offline updates.

    Back in '04 the time to live was (claimed to be) around 20 minutes. I wonder what the time is for an unpatched Vista (the figures in the article are for XP). Heh - I bet '98SE survives forever (nobody would want to exploit that).

    Andy

  3. Typical /. Hypocrisy! by Anonymous Coward · · Score: 5, Funny

    I keep hearing on /. about how slow Windows is. Now it turns out that Windows is very fast.

  4. Re:I have to call BS by Anonymous Coward · · Score: 5, Funny

    I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....

    Indeed, your computer is a valued member of our botnet.

  5. Improved odds in XP/2003 SP2 and Vista/2008 by FuegoFuerte · · Score: 5, Interesting

    At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.

    When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.

    In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").

  6. Re:Baloney by Exitar · · Score: 5, Funny

    Haha, no problem for me with my Linux dis

    Buy Viagra Cheap at http://myipaddres/viaga

  7. Re:Um, what version? by Computershack · · Score: 5, Insightful

    Which is exactly my point. We know those machines get pwned quickly, so why is this news?

    Because it's about Windows and in the current trend, you don't have to bother on /. with little annoyances like facts and the truth if it's to do with Microsoft - any old shite will do if it is trying to make Microsoft look bad.

    Yet you'll notice that the /. crowd isn't bleating on about the 33 year old Unix bug that's only just been fixed this week.

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  8. Re:Honeynet by bloodninja · · Score: 5, Funny

    If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install?

    Can you still buy Redhat 8?

    Can you still buy Windows XP?

    --
    Lock the wife and the dog in the boot of the car.
    Return one hour later.
    Who's happy to see you?
  9. Funny thing is that Zone Alarm has had vulns by George_Ou · · Score: 5, Informative

    Funny thing is that Zone Alarm has had some serious remote exploit vulnerabilities where if you hadn't installed a 3rd party FW in to your Windows XP computer, you'd be safe. Here's an example of one http://secunia.com/advisories/10921/. Windows XP, Vista, Server 2003 and 2008 Firewall has been rock solid and secure. You're simply talking out of your ass and you're giving the typical knee jerk reaction against Microsoft products. You do not have a single example of where Windows XP SP2 firewall is vulnerable to a remote exploit and there isn't a single example of hackers getting through it if all ports are closed.

    1. Re:Funny thing is that Zone Alarm has had vulns by KGIII · · Score: 5, Informative

      To add to this I have helped write both the Outpost Personal Firewall and Kaspersky's Anti-Virus application. As the NDA is up I can admit to the latter. Simply put, you're full of shit. (Not the parent but the grandparent. George is right on.) The reality is that if one doesn't try to pretend they are smarter than the system than the Windows firewall works really well at INBOUND protection. Let me state this another way... If you have a clean system AND don't go screwing with the system's settings the Windows firewall will do just fine at getting you online safely. If your OS installation media predates this than you should really look at slipstreaming or a newer OS. Windows firewall sucks at outbound protection, a lot... As for inbound? It is fine and I will happily toss an image and an IP address up to those who disagree [no carrier] (Just kidding of course, it really DOES do the job of inbound protection. Safe hex and JUST the Windows firewall behind a NAT enabled router has served me well for a long time though outside of that I simply use Outpost.)

      --
      "So long and thanks for all the fish."