Slashdot Mirror
1 In 3 Windows PCs Still Vulnerable To Worm Attack
CWmike writes "The worm that has infected several million Windows PCs, Downadup or 'Conficker,' is having a field day because nearly a third of all systems remain unpatched 80 days after Microsoft rolled out an emergency fix, security firm Qualys said. Downadup surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003, and Server 2008. Qualys' CTO said, 'These slow [corporate] patch cycles are simply not acceptable. They lead directly to these high infection rates.'" This is indicative of why some are calling for Microsoft to rethink Patch Tuesday, as reader buzzardsbay pointed out.
This is why I recommend everyone have a router installed on their internet connection, even if they have only one PC. Routers inherently block almost all worms.
It's also not acceptable that corporate desktops become useless because of an update that MS rolled out that broke mission-critical software.
There's a reason there's an IT vetting process with patches (fool me once, shame on you... fool me twice, three times, every patch tuesday, shame on me). There's also a reason why those processes take a while. If you disagree with IT workers doing their jobs and making sure that an update won't screw up the network/application/productivity/company, take it up with software vendors and MS, not with the people who are trying to make sure their company stays functioning. Or will you be willing to pay for their time in fixing problems if they apply patches that break things?
The update was issued in October.
If you haven't patched, there's no fault of anybody but your own.
If your car has a recall for a safety belt problem, and you don't get it fixed and get into an accident, is it suddenly the car manufacturer's fault? No.
And likewise it's not MS's fault if you can't install patches on your OS.
The price is always right if someone else is paying.
Uhhh as a former student, this seems pretty silly. I haven't had any problems with XP or the Office 2003 Suite at all. What are these people expecting Windows to do, pull their personal info, poll it to Microsoft through WGA, and have Microsoft check College enrollment records?
I do know of one other reason why people would be afraid of WGA, though.
I am not a *blank*, but I did stay at a Holiday Inn Express last night.
.
Your mistaking speed of availibility with frequency of occurance. I like patches to come out as soon as possible. I do not like patches to come out as frequently as possible.
If a bug is found and the patch is available the next day, that is a good thing.
If patches come out every day because there are bugs found when somebody just glances at the code, that is a bad thing because the code either had incompetant QA or is so chock full of bugs it took that long to work down the list that QA returned.
Why does anyone take anything coming out of McAfee still serious? Has nobody ever used their software? Well? And you STILL believe anything they say about security?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I know a lot of people who are afraid of updates because of the genuine advantage validation. They got student priced versions of the software 5 years ago and are no longer students. They don't want to risk losing Visio/Word/PowerPoint or having some other software disabled on their computer.
The fear factor of automated reporting/validation is stopping a lot of people from running the updates.
I'm not sure how many people there are that are aware they should be running updates but actively decide not to because of WGA. I'm sure there are some folks, but I can't imagine it's all that many.
But you are correct, updates don't happen nearly enough, which is why machines are still vulnerable.
You've got updates for Windows, updates for Office, updates for whatever antivirus you're running... All those updates take a decent bite out of your productivity. They eat some of your bandwidth, then eat some of your computing power, then they ask for a reboot.
I know plenty of people who just ignore all the update notices. Unless the machine does all its updating completely automatically without interrupting the user, frequently it just doesn't happen.
"Work is the curse of the drinking classes." -Oscar Wilde
Honestly, users wouldn't feel nearly as much contempt over patches if they were less obtrusive.
The number of times a Windows update patch requires a system restart is ridiculous.
Even with WSUS pushing out all the updates in the middle of the night, and auto rebooting boxes, it irritates people who purposely left a PC logged in, with the screen password-locked, before going home at night for one reason or another. They come in the next morning to find they were forcibly logged out, with work potentially lost or some operation not finished they intended to let run overnight.
(And let's be fair here. This is ALSO a big issue with Mac OS X. Most, if not all, of their required reboots could be eliminated if they'd stop and restart the appropriate services, instead of just doing a restart as an "easy way" to accomplish the same thing.)
Jeez, with virus scanners, several types of automatic updates, and other gadgety things polluting the standard corporate desktop, it is a wonder that people can get any work done on their PCs anyway. Six Inches of Air.
Corporate desktops aren't that bad. I mean, they can be... But usually there's at least a little oversight. You don't typically see people with eleven different smiley-toolbars in a business... It happens, but not so much.
Home users, on the other hand, can be a true nightmare. Plugins for various web pages... Piles of downloaded crapware games... IncrediMail... Several different media players and a pile of music or movies... A couple different P2P programs... A couple different malware scanners... I cringe just thinking about it.
You're right though. Entirely too many different bits of software want to do their own updates. Windows Updates, Office Updates, anti-malware updates, updates for Adobe Reader, updates for Flash, updates for Java, updates for Real Player, updates for HP's drivers and suites, updates for QuickTime and iTunes...
It's ridiculous. I'll routinely see at least a half-dozen updaters running in the background.
That's one of the things I really like about most Linux distributions... Generally you've got a single package manager that takes care of everything for you.
"Work is the curse of the drinking classes." -Oscar Wilde
In really big shops the bottleneck is usually testing patches against a zillion weird|old|crazy applications that someone, somewhere absolutely needs.