Slashdot Mirror
1 In 3 Windows PCs Still Vulnerable To Worm Attack
CWmike writes "The worm that has infected several million Windows PCs, Downadup or 'Conficker,' is having a field day because nearly a third of all systems remain unpatched 80 days after Microsoft rolled out an emergency fix, security firm Qualys said. Downadup surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003, and Server 2008. Qualys' CTO said, 'These slow [corporate] patch cycles are simply not acceptable. They lead directly to these high infection rates.'" This is indicative of why some are calling for Microsoft to rethink Patch Tuesday, as reader buzzardsbay pointed out.
Routers do not require NAT, they never have and they never will. However, with the way customer ISP's are set up, small consumer routers would almost certainly have NAT functionality.
"I use a Mac because I'm just better than you are."
There are 14 routers between me and slashdot.org, not one of them is doing any type of NAT.
In recent parlance "router" implies a consumer level router/NAT appliance, but that's not necessarily so. Routers predated NAT by a zillion years, and routing is distinctly separate from any NAT functionality. There are plenty of routers using in large IT shops where requiring NAT would be a serious handicap.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Have you ever tried managing 17,000 desktops? No, didn't think so.
Most large corps run WSUS, with updates on a weekly schedule, at most. To do otherwise would cripple the network, or require such an investment in equipment and manpower as to be nearly impossible to pull off.
Having said that, most large companies also have a mechanism for quick-release of highly critical patches. I know we rolled out the MS08-067 patch to our desktops immediately, and had a 98% acceptance rate within 3 days.
Along with a router a software firewall is a handy thing to have. A router won't alert you when a program or service tries to access your connection, but a software firewall will. If something on my PC is trying to access the internet without me telling it to, I want to know about it.
And it's great for all those annoying programs that try to phone home or check for updates at random times. What's that Acrobat Reader? You want to look for an update? No, I think I'll decide for myself when it's time to update you rather than have you nag me about it every time you're opened. Tick "create rule", hit "block". Enjoy your stay in the blacklist.
ESET Smart Security. Best $50 I've ever spent on software (except maybe The Orange Box).
Murphey's fighting Occam, and we're in the stands.
This is why I recommend everyone have a router installed on their internet connection, even if they have only one PC. Routers inherently block almost all worms.
I think, what you're trying to say, is that it is important for everyone to have a firewall on their Internet connection... Not a router. Routers don't inherently offer any protection at all. Many home-grade routers come pre-configured with NAT, which does get you some basic protection... But not all routers do NAT, and not all of them give you any protection.
And an external firewall on your Internet connection only protects you so far. It might keep a worm from crawling in through your Internet connection... But it won't stop a worm from spreading once it is inside your network.
That's why it is important to control the traffic inside your network, as well as traffic to/from the Internet. Maybe it isn't necessary to run a firewall on each and every PC, but you sure as hell better be monitoring your traffic and keeping your machines patched.
"Work is the curse of the drinking classes." -Oscar Wilde
A router won't alert you when a program or service tries to access your connection, but a software firewall will.
Turn on logging and your router can notify your PC, your email, your blackberry, etc etc.
Personally, I set Windows updates to "notify only". Then I do a Custom Install, and uncheck all WGA updates. I have a valid copy, but I don't feel like running those.
Convert FLACs to a portable format with FlacSquisher
I've worked at several places that didn't roll out patches right away. It wasn't because the IT department was busily testing the patches. It was because they were afraid of the patches, but had no time to test them.
That's typically the problem around here. We've got plenty to keep us busy on a day-to-day basis... Something is always broken, or requiring replacement, or testing, or whatever.
I hate to just roll out a patch and hope for the best. That's bit me in the ass far too many times. But I find it hard to actually come up with time to read over the patch notes, apply the patch in a test environment, and then watch to see if something happens.
Sure, this particular patch is a few months old... And it was released with enough obvious urgency that we've pushed it through and updated most of our systems... But we're still sitting on some updates that are just as old, but don't seem quite as necessary.
"Work is the curse of the drinking classes." -Oscar Wilde