Slashdot Mirror
1 In 3 Windows PCs Still Vulnerable To Worm Attack
CWmike writes "The worm that has infected several million Windows PCs, Downadup or 'Conficker,' is having a field day because nearly a third of all systems remain unpatched 80 days after Microsoft rolled out an emergency fix, security firm Qualys said. Downadup surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003, and Server 2008. Qualys' CTO said, 'These slow [corporate] patch cycles are simply not acceptable. They lead directly to these high infection rates.'" This is indicative of why some are calling for Microsoft to rethink Patch Tuesday, as reader buzzardsbay pointed out.
This is why I recommend everyone have a router installed on their internet connection, even if they have only one PC. Routers inherently block almost all worms.
I know a lot of people who are afraid of updates because of the genuine advantage validation. They got student priced versions of the software 5 years ago and are no longer students. They don't want to risk losing Visio/Word/PowerPoint or having some other software disabled on their computer.
The fear factor of automated reporting/validation is stopping a lot of people from running the updates.
Jeez, with virus scanners, several types of automatic updates, and other gadgety things polluting the standard corporate desktop, it is a wonder that people can get any work done on their PCs anyway. Six Inches of Air.
Zhrodague.net - I do projects and stuff too.
If my years of tech support taught me anything it's that 9 out of 10 Windows users are more damaging to computers than anything else.
Do you D?
With all this talk of Microsoft losing money, maybe they should get into the botnet business for themselves. Vertical integration!
How much downtime is caused (money is lost) by patches that break things versus how much money is lost when machines get hacked? This isn't a windows only issue. I've seen Debian security releases break things too. They're a bit easier to rollback, but the problem is fundamentally an ROI or EV problem, not a technical one.
I've often encountered companies who run windows updates on a weekly or bi-weekly basis, thinking this will be enough. It is not. And not to promote the idea of the lazy IT worker (though I consider myself to be one), but situations like this truly do require a machine-by-machine check. So all you folks out there who rely on Saturday night updates, well, you might want to do a quick check on that.
My PC is vulnurable to butterflies. I estimate 90% of all windowsmachines could be as well.
I think we can keep recursing like this until someone returns 1
What drives me absolutely nuts is how people who are not computer professionals talk about patches with contempt. In any magazine article about an operating system, whether it be from the Windows family, Mac OS X, or Linux, when the subject of patches comes up, the writer will usually say something to the effect that a downside of using this operating system is the high frequency of patches.
In a perfect world, software would have zero bugs (security holes are bugs, too, if you think about it). No product would have any problems. Everything would be perfect. There would be no need for patches.
But unfortunately we do not live in a perfect world, and software does have bugs. When patches are available at a frequency such as daily (as is sometimes the case if you use Ubuntu, patches not only for the OS but for any programs you have installed too), or every few weeks as is the case with Mac OS X, you know that people behind the product are responsible, are continuing to develop and refine the software, and you benefit from those refinements at the frequency of the patches.
We all know this, yet because many people feel contempt toward software patches, and because magazines and newspapers write inaccurately about this subject, many boxes out there are vulnerable to many types of attack, and this won't change any time soon. I think some effort needs to be expended by the marketing departments of various software companies to convince people that patches are good, not bad.
I just had one additional thought about this Windows patch. Perhaps some of these boxes are using illegitimate copies of Windows and are therefore ineligible for the patch?
I'm immune to the worm. I'm still running Windows98 and it doesn't have "Windows Server service" and all that other wormbait crap.
Oh, hold on.... I'll be right back. I've been online 40 minutes and I need to reboot.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
It's also not acceptable that corporate desktops become useless because of an update that MS rolled out that broke mission-critical software.
There's a reason there's an IT vetting process with patches (fool me once, shame on you... fool me twice, three times, every patch tuesday, shame on me). There's also a reason why those processes take a while. If you disagree with IT workers doing their jobs and making sure that an update won't screw up the network/application/productivity/company, take it up with software vendors and MS, not with the people who are trying to make sure their company stays functioning. Or will you be willing to pay for their time in fixing problems if they apply patches that break things?
..are the 1337 ones who tell all and sundry that they don't need to update their OS because they're a "pro" or "power" user.
The update was issued in October.
If you haven't patched, there's no fault of anybody but your own.
If your car has a recall for a safety belt problem, and you don't get it fixed and get into an accident, is it suddenly the car manufacturer's fault? No.
And likewise it's not MS's fault if you can't install patches on your OS.
The price is always right if someone else is paying.
Really? 1 in 3? That's the most optimistic statement I've heard in a month, and that includes a 5 year old's wish list.
This morning, I'm lamenting the issues I'm having with flash video on AMD-64 Ubuntu 8.10... then I read the story of the latest "Worm on Windows"(tm) and thought "thank fsck I am using Linux".
Yeah, I know that abbreviates to WoW... so what? I don't play games.
Support NYCountryLawyer RIAA vs People
You know of my parents and I, then.
They switched to Ubuntu and I to gNewSense as a result.
Is this the same ratio as the number of VCR's that are flashing 12:00?
We had better than 95 percent MS08-067 patch coverage and the infection still went that fast. Due to the random date stamping of dropped files, I can't tell who was infected first, and I can only speculate as to how it spread so fast. I believe it would actually use logged on credentials first before trying the exploit, and we have poor local permissions(lots of local admins). Still, I have about 30 machines that were patched and no one is local admin on(except domain admins), and they were infected with everyone else.
I'm not a huge Windows user, but I know you can turn off the rpc service via msconfig. Why don't more companies do this? Or is it needed for certain things, like maybe Exchange? I confess my ignorance here.
Everything has bugs, flaws needs patching etc.. but because Microsnot creates buzz the headlines are pushed and IT geeks have to pet our managers and assure them things will be okay. We all know "its" much worse than this headline. MS is not the flaw.. it's the users!
It is what it is
Remember it? I know, over 4 years now, but it's still pounding at my firewall.
And anyone is wondering that 1/3 of the machines running Windows are still unpatched for a threat that's not even half a year old? I'd rather wonder if it's the same 1/3 of machines that pound against my door trying to sell me Sasser and Mydoom.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
F-Secure estimates 8.9 million infected machines.. http://www.f-secure.com/weblog/archives/00001584.html
The truth or interpretation..
If your car has a recall for a safety belt problem, and you don't get it fixed and get into an accident, is it suddenly the car manufacturer's fault? No.
I can just see it now .... recall Tuesday.
Have gnu, will travel.
The summary states "This is indicative of why some are calling for Microsoft to rethink Patch Tuesday, as reader buzzardsbay pointed out."
/., but really, how is a company not patching their systems eighty days after the patch was release in any way the fault of Microsoft?
I know this is
Patch Tuesday is great for planning compatibility testing and patch management. MS also releases the odd patch out of cycle if it is important enough, so what's the issue?
Tag: ateintohisbrain
The reference is pure genius. I'd mod up a tag if I could.
As I've said many times, patches are nowhere near as high a concern if you lock things down in the first place, and Microsoft do provide some pretty good tools for doing that in Windows (namely Group Policy).
Our protection against viruses is pretty thorough, and we've not had a sniff of an infection in 3+ years:
- All of our machines have filtered access to the outside world
- Staff can only visit work related sites during working hours (enforced at the firewall)
- No website can run any kind of script unless approved by IT (takes 5 mins or so to approve)
- All CD-ROM drives are disabled on machines.
- Users do not have permission to install USB drives
- Autorun is disabled site wide via group policy
- Downloads of executables, zips, etc is disabled at the firewall
- Emails are also filtered, and in addition all Office Documents are quarantined before manual release.
- Oh, and AV on all desktops (Sophos), updating within 15 mins of new virus definitions coming out.
Over the last 2 years, I've only seen three security warnings from Microsoft which we're not already exempt from because of the mitigating factors, and while this might sound over the top, it doesn't get in the way of our users doing their work, and takes under a single man hour each day for the IT department to manage. Quiet days probably only take up 15 mins or so.
Although to be honest, I still don't consider this a final solution. Future plans include:
- Whitelisting of all executable software
- Full DR procedure for desktops (to allow quick recovery when we do get hit by a virus)
- Physical isolation of key machines to protect them in case of an outbreak
All that does is drops unsolicited messages, kinda like the windows fire wall does, which has been activated by default for almost 4.5 years.
People are always harping on about how every patch breaks all their mission critical software. I think that's bollocks. A Windows patch never broke any piece of software on my system, and the work-related stories I hear from friends are remarkably void of Patch Tuesday horror stories. The only thing I've heard in ten years that qualifies and wasn't fully apocryphal was a botched Solaris update on the local University. 15 minutes downtime, boohoo, cry me a river.
If your software were really so hackishly written that it breaks when the OS gets a security fix, you've got bigger problems. Hire some real programmers, it'll save you money in the long run. But we all know that that isn't really the case. At the heart of the matter is but one cause: laziness. Stubborn, numb-minded, the-world-be-damned, laziness. 80 days after rollout... let that sink in for a bit.
EXECUTION: ZERO POINTS
EXCUSE: ALSO ZERO POINTS
We've had more than 30% of Vista machines come up with a error code 80070424 that stopped the machines from downloading updates from microsoft or our WSUS server. The only solution to it after becoming aware of it has been to completely re-install the OS.
With update services like that, I'm not surprised that the number isn't higher.
lol, trust me, it would take a lot longer to get this network working under linux than windows, and that's before you count the couple of dozen specialist apps that simply don't exist in Linux. Linux is good, but it really isn't the answer to everything. I'm not aware of anything that as easy to use and effective as group policy for securing computers and deploying software. I can rollout new versions of some of our apps to 100+ computers in under ten minutes of my time (and that includes the download!).
Having said that, my own workstation is running Ubuntu 8.10, and we have a good few Linux servers now :-)
However, I think you'd be surprised just how low maintenance this lot is. Yes, it took some setting up, but we're reaping the benefits now. To give just one example, patching software is something we can do in our own sweet time, even though we use WSUS we run 2-3 months behind and let other people do the testing :)
I say, if M$ were to actually offer these patches freely sort of like "use our product because like Linux you get free stuff..." not only would they get a more secure overall experience for the user, but you would also see less infection rates...and this would lead to them being able to learn who still uses windows xp...even if it isn't legit copy.
At some point they could trigger a more effective update scenario..."we have updated your system but see you are not using a legit copy of windows, if you want to be legal, we can send you a key for 49$."
You would see millions of people line up for that, because not only would it mean they are safe, but everyone who has a copy of windows illegally can now rest assured they won't be penalized...and in this unstable economy, how do you convince someone to get a legit key, if it isn't by making it very cheap. I know I will never get legit xp or vista because i can go linux. If M$ came to my door and said "hey uninstall or pay" I wuold uninstall unless it was cheap enough. 49$ is cheap enough.
Just got this nasty lil bastard off a clients' Win 2003 SBS. Idiot disabled Kaspersky and SpyBot on his laptop 'cause "It was slowing down my MP3 downloads at home.", and plugged into the LAN, thence instantly infecting the server, which hasn't been patched since 12/23/08. I intend to stagger through the office after lunch, screaming "CENTOS on the server this weekend, and XUBUNTU on ALL laptops by Monday!!!!!!!!!!!!!!!" Mweep
mweep:the sound made by the system bell on a SPARC workstation.
So don't go through the automated process. Send them to Microsoft's Security Bulletin Search and they can search for the updates by hand.
Ri-i-i-i-i-ght. We both know that most people won't go to that much work.
Instead, they'll wait until they're Pwnd, then throw their hands up in the air and go buy a new PC.
A new PC running Windoze, of course.
Shaking my head in disbelief while quoting Shakespeare: "What fools these mortals be!"
In times of universal deceit, telling the truth gets you modded -1 Troll
SNAKE attack... now that is scarey.
I am very small, utmostly microscopic.
I believe the original poster meant to say "Household Routers". I would say 99.9 and probably even a higher percent of "Household Routers" do NAT since most if not all people that use them do so to share one IP address among all their home computers.
If your car has a recall for a safety belt problem, and you don't get it fixed and get into an accident, is it suddenly the car manufacturer's fault? No.
What if my car's safety belt has a design or manufacturing flaw, but the manufacturer has not yet acknowledged it by issuing a recall notice? If I sustain injuries that can be proven to have been caused by the defective belt, can the manufacturer be held liable? Yes! Now can you imagine if a software publisher had to pay restitution to customers every time a bug in their code occurred?
Software is not like a car. For one thing, it doesn't have windshield wipers.
from the 3 in 3 I expected. Yes I use a windows machine, and I have automatic updates on, but I have no high expectations for Microsoft to sweep in to the rescue with a timely patch. I tend to practice safe surfing by using FireFox with various script blocks, not clicking on stuff that I shouldn't be clicking on, and of course keeping the g/f away from my computer.
"This is indicative of why some are calling for Microsoft to rethink Patch Tuesday, as reader buzzardsbay pointed out."
Oh, for crying out loud, AFAIK the weekly cycle had NOTHING to do with security in the first place so calling for abandoning it isn't going to help unless you address the actual motives.
The whole idea behind patch Tuesday was to batch the never ending stream of updates so Windows looked less than the leaking ship it is. I'm glad they have at least partially abandoned the bundling of security problems so the marketing droids could claim "less problems than Linux/Apple/whatever" (which nobody believed), but the weekly cycle's main function has zero to do with it's alleged purpose to bring some stability to corporate computing.
It is(/was) IMHO quite simply a marketing exercise, a way to batch all those updates so you get hit once a week rather than hourly/daily, with the eternal reboot prompt threatening to lose your work. Only when you make clear to MS that you have seen through that deception are you likely to get some sense out of them.
The model has been broken repeatedly of late anyway so they might as well bite the bullet and go back to what they did before, but allow the CUSTOMERS to decide on batching. That way the risk management choices are made at the point where the thinking is available to balance the benefit of uninterrupted computing vs. instant updates. That is not a decision that can be made by the vendor IMHO.
Insert
> Do you really expect us to believe that the only secure way of accessing an Office Doc is to quarantine it.
> I thought you had the system totally locked down and AV on all desktops?
As far as I'm concerned, yes. There are far too many vulnerabilities in office docs, and no way for me to lock those programs down. The primary aim of our security practices is to stop malware coming into the building, once it's in we're pretty much screwed. AV is the last line of defence, and one I don't particularly trust these days.
Blocking executable viruses and securing the web browser is easy. Securing Outlook and Office programs is a pain, but fortunately it's not proving too much hassle to manually vet these and we catch 5-6 documents a week that aren't caught by the AV scanning on our email gateway.
I just don't trust AV scanning these days, there's always a window of opportunity for any new virus, and too many viruses are sneaking in under the radar. In the last 18 months I've submitted four previously unknown viruses to the AV companies, two of which weren't detected at all by either Sophos, Symantec or AVG after booting from recovery CD's.
> What are those specialist apps. Do you mind telling me what sector your business is in?
Our sector - structural steelwork, and off the top of my head a quick list of some of our specialist software would be: AutoCAD, Design Review, Strucad, Xsteel, GoData, Farm Design, Multisuite, Procad, Fabtrol, Dema, Union2, Fastrak, Tedds.
None of these are minor, most are absolutely core programs that are vital to our business. To the best of my knowledge, *none* are available under Linux, and at least 4 require some serious graphics capabilities that rule out virtual machines or wine.
> http://www.linuxjournal.com/article/6266 [linuxjournal.com]
> http://en.wikipedia.org/wiki/OpenLDAP [wikipedia.org]
> http://www.bayour.com/LDAPv3-HOWTO.html [bayour.com]
Ok, you've got open LDAP authentication. Now make it as easy to use as Active Directory Users & Computers, with all the functionality (we use a *lot* of it - have you got support for Microsofts IAS there?). You're also missing Group Policy. That sets all our security policies, it configures our computers, and installs all our software.
> http://www.howtogeek.com/howto/ubuntu/configure-how-often-ubuntu-checks-for-automatic-updates/ [howtogeek.com]
Ok, you can do security updates. How about deploying software? What about configuring policies for things like disabling CD-ROM drives, enforcing screensaver timeouts, etc.
> I am surprised as my personal experience is a bit different
I've been doing this a while :) Most of this lot is second nature to me.
> What else do you do apart from locking down and patching?
Everything :-) I'm your proverbial jack of all trades, responsible for:
Servers, Databases, Intranet, Security, Backups, Software Development, Helpdesk, Software Installation, Printers (up to A0), Fax machines, Scanners
We have 13 servers and over 100 individual pieces of software on this network. There are also a further 20+ legacy in house applications in use (mainly visual C++ v5, with the odd visual basic v5 one), and about half a dozen modern ones (developed with visual studio .net or 2005). We have five database servers, a wiki, an intranet, an email server, two firewalls. We run Windows (NT - 2003), Linux, OpenSolaris and ESX, with the Citrix server having been retired.
And believe me, I've simplified things wherever possible. This network is horribly, horribly complex. It took me nearly two years to familiarise myself with it, and we really do use everything I've
What if the point of all these attacks isn't to steal passwords or credit card information or anything? What if the intent of this massive 'takeover' is to create a database of information, that stores oh let's say...Microsoft's encryption in relation to a specific terminal, in comparison to how the attackers know the system is truly identified? Would this allow them to brute force determine how Microsoft encrypts computer information on a broad, rather than granular spectrum? I mean, if you give me a database of information, and in one recordset I have the unencrypted records, and in recordset two I have encrypted records, couldn't I then start to break down the encryption process more easily based on the huge amount of data I have?
Do you see extended support times in the instances where you need legitimate outside access to the PC in question? Also, what do you do when the "work-related" site gets infected and the user then uploads (unknowingly) the worm into your (poorly patched) network? Have any other users been burnt with this method?
So what actually makes this news? Microsoft's security model is faulty by design. What's new?
sudo mount --milk --sugar
This worm spreads through laptops? My MacBook laughs at that.
...I do have a firewall at my workplace. We were bitten hard - Quite probably, thanks to a USB key, careless email or to one of the three machines I had to leave with SMB access to dependencies outside my own.
And yes, the computers are configured to auto-update the OS, and they all have an up-to-date antivirus. Still, an overly fertile virus will defeat those updates.
Every single windows systems is vulnerable to something, it's just a matter of time until the right attack vector is tried.
If you use windows you will get some kind of malware sooner or later. If you are lucky this will be something relatively harmless. If you are unlucky you have already been sending personal and company data to organized crime groups for some time.
The big picture has not changed in many years. Windows is not fit to hold anything you don't want made public. Anti-virus software and firewalls are a band-aid not a fix.
Patches suck because it interrupts the user, gives the user the impression of being remotely controlled by some unknown entity and frequently patches break stuff for the user.
Of course they fix security holes, but it seems people seem to mind less to be infected than being nagged with stupid patch messages popping up.
The design of patch systems still has a long way to go before they really work,
Ok, you can do security updates. How about deploying software? What about configuring policies for things like disabling CD-ROM drives, enforcing screensaver timeouts, etc.
Your post says more about your training and abilities than anything else. Apart from applications it's trivial and fast to do all the things you imply Linux can't do.
In addition your "horribly, horribly complex" sounds like a management problem, not a software problem.
"There are far too many vulnerabilities in office docs, and no way for me to lock those programs down"
.. You're also missing Group Policy"
.. :)
...
I do this, set the msWord Viewer as the default for opening msWord docs, set normal.dot as readonly and use Open Office for editing msWord docs. Use Firefox and noscript for browsing and use anything but Outlook for email.
"Ok, you've got open LDAP authentication
It really amazes me that Windows users need so many 'tools' for ding the simplest thing. The standard Linux directory structure allows for setting access to directories under a per group basis. Users can be members of a number of groups. All you have to do is set some rights on a directory.
http://www.freeos.com/articles/3127/
"Ok, you can do security updates. How about deploying software? What about configuring policies for things like disabling CD-ROM drives, enforcing screensaver timeouts, etc."
Disabling CD-ROM drives is the same as setting access rights on a directory. See, no special 'tool' to do the job. All you do is set owner of the CD-ROM to group cdusers and deny access to all others. Similar for USB access.
"We have 13 servers and over 100 individual pieces of software"
Jeez, sounds a bit over designed for a few autocad drawings
"our IT team is essentially two people"
Given the size an complexity of your network that does surprise me. I have worked in a f400 international consultancy where they had an IT dept consisting of twelve people on the helpdesk, a senior IT manager, a networking guy, and someone who traveled round the building with a case load of install CDs. Reinstalling was such a regular occurrence, that they set up a dedicated Ghost server. Each desktop station had two Ethernet connections, one for the Internet and one directly connected to the Ghost server, plug in the Ghost server and reboot and in went into install mode.
The support staff spent most of their time remaking Exchange profiles. Every so often the Fax server and printers would go offline, and no one could figure out why?
"and we have enough free time to do things properly, actively planning and testing projects for future deployment"
I have a box running openSuSE 9.0 as a SMB server, I haven't had to touch it on over ten months
davecb5620@gmail.com
ESET Smart Security. Best $50 I've ever spent on software (except maybe The Orange Box).
ZoneAlarm. Best $0 I've ever spent for Windows software.
What this thread is missing is that RPC need not be bound to a network interface! It is possible to close virtually every port off based upon windows configuration alone (i.e. without firewall software or the XP/Vista firewall). Heck, RPC listening on a network interface is not even necessary to access windows file shares.
This is new. Interesting... I wonder who they target... Oh, wait... NVMND
I know tobacco is bad for you, so I smoke weed with crack.
For some reason, when I read the question, I thought "tiny elephants".
Either that, or an elephant with tapeworms, but I don't think that was the purpose of this mental exercise. :)
Serious? Seriousness is well above my pay grade.