1 In 3 Windows PCs Still Vulnerable To Worm Attack

CWmike writes "The worm that has infected several million Windows PCs, Downadup or 'Conficker,' is having a field day because nearly a third of all systems remain unpatched 80 days after Microsoft rolled out an emergency fix, security firm Qualys said. Downadup surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003, and Server 2008. Qualys' CTO said, 'These slow [corporate] patch cycles are simply not acceptable. They lead directly to these high infection rates.'" This is indicative of why some are calling for Microsoft to rethink Patch Tuesday, as reader buzzardsbay pointed out.

router

[TheSHAD0W]

This is why I recommend everyone have a router installed on their internet connection, even if they have only one PC. Routers inherently block almost all worms.

Re:router

[the_humeister]

I find it easier to setup the internet connection with the router instead of using my own computer. I'm using Linux, and I find fiddling around with pppoe with the router is a lot easier than on my main computer.

Re:router

[Trevelyan]

You assume that the router has a some firewall, acl or nat set, ie its not inherent. Also this is more for home users. However this worm is doing well in corporate networks, spreading from one co. to another via latops, and so negating any external firewall.

Re:router

[PunchMonkey]

A router won't alert you when a program or service tries to access your connection, but a software firewall will.

Turn on logging and your router can notify your PC, your email, your blackberry, etc etc.

Hardware firewall via log entry/email:
Alert! Your pc has initiated a connection with xyz.com on port 80. I already let this through since you told me to allow all http traffic from your pc, so if it's malicious, tough luck.

Software firewall via immediate popup in current session:
Alert! backorifice.exe is attempting to open a connection to xyz.com on port 80. Since you've never authorized this program for any type of network connectivity, I haven't allowed this connection to be made. Do you want to allow it?

Your choice.

Related to this... is there any software for linux that functions in this way? (Blocking connections by program, with gui notification)

Re:router

[wastedlife]

The problem is that "router" to a home user and to an IT person (the latter including many of the Slashdot users responding to this) are very different things. To a home user, a "router" is a NAT router with a small layer-2 switch or hub built in to the LAN side (usually 4 ports) and that most likely has wireless(are there any consumer NAT routers still sold that are wired only?). To an IT person, a router is a layer-3 device that routes traffic. If you are going to post in a thread likely filled with IT guys, you should be a bit more specific. Is it pedantic? Probably. Is it nitpicking? Sure. Is it /.? FUCK YEAH!

Re:router

[1s44c]

All routers need to do some type of NAT period, it is how a router works.

Your ignorance is shocking. There are some good books and many internet sites explaining basic networking. There is even a 'for Dummies' book.

Not Acceptable?

[PolyDwarf]

Qualys' CTO said, 'These slow [corporate] patch cycles are simply not acceptable. They lead directly to these high infection rates.'"

It's also not acceptable that corporate desktops become useless because of an update that MS rolled out that broke mission-critical software.

There's a reason there's an IT vetting process with patches (fool me once, shame on you... fool me twice, three times, every patch tuesday, shame on me). There's also a reason why those processes take a while. If you disagree with IT workers doing their jobs and making sure that an update won't screw up the network/application/productivity/company, take it up with software vendors and MS, not with the people who are trying to make sure their company stays functioning. Or will you be willing to pay for their time in fixing problems if they apply patches that break things?

How about installing updates?

[HerculesMO]

The update was issued in October.

If you haven't patched, there's no fault of anybody but your own.

If your car has a recall for a safety belt problem, and you don't get it fixed and get into an accident, is it suddenly the car manufacturer's fault? No.

And likewise it's not MS's fault if you can't install patches on your OS.

Re:How about installing updates?

Well, yeah.

But now imagine that cars are recalled literally EVERY SINGLE MONTH, for SEVERAL life-threatening problems each and every time. Would you still say that the manufacturer is doing their job well?

Of course not; you'd switch away from that manufacturer ASAP.

But wait! Now imagine that there's only one large car manufacturer that controls 95% of the market, and the only other cars are either luxury cars that are totally different (Apple) or home-built hobbyist cars.

And also imagine that the dominant manufacturer has secretly blackmailed road builders to make sure only THEIR cars work on roads. And now imagine that they were convicted of these illegal practices and others, too, but that when the government changed, suddenly, interest in actually holding them accountable suddenly waned, with the result that the average Joe Sixpack still can't change manufacturers and still has to return his car EVERY SINGLE MONTH for SEVERAL life-threatening problems to get fixed.

And now imagine that things have gotten to a point where Joe Sixpack assumes that this is normal and acceptable - if he knows about it in the first case, that is.

Oh, and imagine that when the manufacturer fixes these life-threatening problems with your car, they will also - for all that Joe Sixpack knows - check that he didn't give his car - his OWN car! - an unauthorised paint job or any other kind of modification.

Would you still say that this car manufacturer is not in the wrong?

Re:Genuine Advantage Validation

[0prime]

Uhhh as a former student, this seems pretty silly. I haven't had any problems with XP or the Office 2003 Suite at all. What are these people expecting Windows to do, pull their personal info, poll it to Microsoft through WGA, and have Microsoft check College enrollment records?

I do know of one other reason why people would be afraid of WGA, though.

Re:Patches are good, not bad!

[Zerth]

When patches are available at a frequency such as daily (as is sometimes the case if you use Ubuntu, patches not only for the OS but for any programs you have installed too), or

.

Your mistaking speed of availibility with frequency of occurance. I like patches to come out as soon as possible. I do not like patches to come out as frequently as possible.

If a bug is found and the patch is available the next day, that is a good thing.

If patches come out every day because there are bugs found when somebody just glances at the code, that is a bad thing because the code either had incompetant QA or is so chock full of bugs it took that long to work down the list that QA returned.

Re:Not that bad considering it's Windows

[Opportunist]

Why does anyone take anything coming out of McAfee still serious? Has nobody ever used their software? Well? And you STILL believe anything they say about security?

Re:Genuine Advantage Validation

[Ephemeriis]

I know a lot of people who are afraid of updates because of the genuine advantage validation. They got student priced versions of the software 5 years ago and are no longer students. They don't want to risk losing Visio/Word/PowerPoint or having some other software disabled on their computer.

The fear factor of automated reporting/validation is stopping a lot of people from running the updates.

I'm not sure how many people there are that are aware they should be running updates but actively decide not to because of WGA. I'm sure there are some folks, but I can't imagine it's all that many.

But you are correct, updates don't happen nearly enough, which is why machines are still vulnerable.

You've got updates for Windows, updates for Office, updates for whatever antivirus you're running... All those updates take a decent bite out of your productivity. They eat some of your bandwidth, then eat some of your computing power, then they ask for a reboot.

I know plenty of people who just ignore all the update notices. Unless the machine does all its updating completely automatically without interrupting the user, frequently it just doesn't happen.

Re:Genuine Advantage Validation

You're missing the point, though. Yes, it is pretty silly: people are pretty silly in general. The point is, it happens, whether or not it "should" be happening.

Re:Patches are good, not bad!

[King_TJ]

Honestly, users wouldn't feel nearly as much contempt over patches if they were less obtrusive.

The number of times a Windows update patch requires a system restart is ridiculous.

Even with WSUS pushing out all the updates in the middle of the night, and auto rebooting boxes, it irritates people who purposely left a PC logged in, with the screen password-locked, before going home at night for one reason or another. They come in the next morning to find they were forcibly logged out, with work potentially lost or some operation not finished they intended to let run overnight.

(And let's be fair here. This is ALSO a big issue with Mac OS X. Most, if not all, of their required reboots could be eliminated if they'd stop and restart the appropriate services, instead of just doing a restart as an "easy way" to accomplish the same thing.)

Re:Get any work done?

[Ephemeriis]

Jeez, with virus scanners, several types of automatic updates, and other gadgety things polluting the standard corporate desktop, it is a wonder that people can get any work done on their PCs anyway. Six Inches of Air.

Corporate desktops aren't that bad. I mean, they can be... But usually there's at least a little oversight. You don't typically see people with eleven different smiley-toolbars in a business... It happens, but not so much.

Home users, on the other hand, can be a true nightmare. Plugins for various web pages... Piles of downloaded crapware games... IncrediMail... Several different media players and a pile of music or movies... A couple different P2P programs... A couple different malware scanners... I cringe just thinking about it.

You're right though. Entirely too many different bits of software want to do their own updates. Windows Updates, Office Updates, anti-malware updates, updates for Adobe Reader, updates for Flash, updates for Java, updates for Real Player, updates for HP's drivers and suites, updates for QuickTime and iTunes...

It's ridiculous. I'll routinely see at least a half-dozen updaters running in the background.

That's one of the things I really like about most Linux distributions... Generally you've got a single package manager that takes care of everything for you.

Re:Weekly updates? Still not enough.

[Clover_Kicker]

In really big shops the bottleneck is usually testing patches against a zillion weird|old|crazy applications that someone, somewhere absolutely needs.

Re:wouldn't it be simpler to run a Linux distro ..

[myxiplx]

lol, trust me, it would take a lot longer to get this network working under linux than windows, and that's before you count the couple of dozen specialist apps that simply don't exist in Linux. Linux is good, but it really isn't the answer to everything. I'm not aware of anything that as easy to use and effective as group policy for securing computers and deploying software. I can rollout new versions of some of our apps to 100+ computers in under ten minutes of my time (and that includes the download!).

Having said that, my own workstation is running Ubuntu 8.10, and we have a good few Linux servers now :-)

However, I think you'd be surprised just how low maintenance this lot is. Yes, it took some setting up, but we're reaping the benefits now. To give just one example, patching software is something we can do in our own sweet time, even though we use WSUS we run 2-3 months behind and let other people do the testing :)

Re:Patches are good, not bad!

And you DO realise that our problem in the Open source world is that much of the code outside of the operating system really IS that bad.

And that in the closed-source world, it is just as bad if not worse, but people don't get to see and fix it (but they DO get to find the holes and write explits, obviously).

So give me daily updates! If I want to just apply them on the weekend, it is my problem, but at least I am given a choice!