19-May-03 SCO sues IBM
A year and a half after Bill Gates' high profile launch of Microsoft's "Trustworthy Computing" initiative, we continue to be treated to ever more damaging security problems of all kinds, but particularly fast moving worms and trojans exploiting Windows flaws.
The Blaster worm (A5) exploited a flaw in the newest versions of Windows, including Windows Server 2003 which was released more than a year after launch of "Trustworthy Computing".
This flaw was so serious the Department of Homeland Security twice pleaded with American businesses to patch their computers. Unfortunately, many PCs vulnerable to Blaster are home PCs and SOHO (Small Office Home Office) PCs who's owners didn't hear the warning and wouldn't have a clue how to deal with it if they had.
Blaster was followed immediately by the W32/SoBig.F worm (A3), which blew the W32/Klez.H worm right off the charts as the fastest infecting email worm ever.
SoBig.F was followed immediately by announcement of three more critical flaws (A7) in Windows allowing attackers to "run arbitrary code", and news of the Voyager Alpha Force SQL worm (A6) followed that.
A cluster of 6 new vulnerabilities (A22) was anounced on 3 SEP including a "Critical" flaw in all Microsoft Office products from Office 97 on, including Microsoft Great Plains, Solomon and Dynamics (Navision) accounting applications (A20,A21). The flaw, if not patched, will allow hackers complete control of your computer - but not to worry, hackers probably don't understand debits and credits any better than your bookkeeper does.
This critical flaw, and nearly all others found in recent months, were found not by Microsoft's Trustworthy Computing initiative, but by third party investigators who do not have the source code. A major worm or attack based on this flaw should appear in 4 to 8 weeks, and most Windows PCs will not be patched to defend against it.
Two others flaws in this cluster are rated "Important". Since these can be used to format your hard disk, I'd consider them "Critical", but Microsoft added the "Important" category last year in a desparate move to cut down on the number of "Critical" flaws announced.
And the vaunted Blaster patch turns out to be as porous as the code it patched, so there's now a Critical patch for the Critical Blaster patch to stop more blaster type attacks from going throught the patch (A28). Good news for all you who have just finished installing your Blaster patches.
And three more Critical flaws on 10-Sep-03, two of which allow Blaster type worms and complete takeover of your computer (A27)! A working exploit was distributed on the Intenet within 6 days (A29). Microsoft has published a seive and expects every Windows user to stop and plug each and every hole one at a time,
Yay!! Yet another fast moving Worm on 18-Sep-03, W32/Swen.A, and this one defends itself by disabling Windows features and disabling antivirus software, so it's unusually difficult to remove. Instructions here
Ooooops! 5 more flaws 15-Oct-03 - 4 of them "critical" one "important" and they all affect the post Trusted Computing super secure Windows 2003 Server (A35). Oh yes, one other thing, there's now a patch to patch the patch that patched the patch for the RPC flaw (A36).
By the first week of November, 2003 things looked so bad Microsoft resorted
to the desperate measure of posting $250 Thousand cash bounties on the writers
of the Blaster and SoBIG.F worms - greatly enhancing their prestige within
their peer group (A37).
Microsoft Protects Microsoft
Microsoft's own Web servers were directly threatened by the Blaster worm, so they took steps to minimize damage by hiding their Windows 2003 / IIS servers behind the Linux servers of Web caching service Akamai (A1).
Under this scheme Web pages requested from www.microsoft.com are actually delivered by the Akamai Linux servers. These servers in turn get any requested page they don't already have from the Microsoft Windows 2003 servers, protecting those vulnerable machines from overload.
Strangely, Netcraft shows Microsoft's site to be using Microsoft IIS (Internet Information Server) running on Linux. This is impossible because Microsoft makes sure it's server applications can run only on Windows. Akamai's servers almost certainly run a version of the open source Apache Web server, they are just passing the IIS headers through.
Why would Microsoft accept certain embarrassment by selecting a Linux based
service while they're spending millions to convince people the open source
Linux operating system is inferior to Windows in every way? Probably because
nobody in his right mind would try offering this kind of service using
Windows servers. Given performance, security, administration customization
and cost issues, open source products win on every count.
Why Weren't Computers Patched?
Microsoft issued patches for the vulnerability Blaster exploited a month before Blaster appeared, yet hundreds of thousands of vulnerable machines were left unpatched. This is typical of other vulnerabilities as well. Why?
Microsoft issues major patches at least every 2 weeks. Windows isn't centralized so those patches have to be rolled out to each individual machine. Microsoft's patching tools are difficult to use and work under only certain circumstances and with certain Service Packs. It's difficult to find out if a machine has been patched or not, or if the patch actually worked.
Even skilled administrators are slow to patch because Microsoft's patches often cause other problems, including software incompatibility, instability and failure of computers to boot. There are often patches to fix the patches and sometimes the patches don't fix the vulnerability (A24). If something goes wrong, Microsoft provides no way to back the patch out, you have to completely reinstall Windows, all the previous patches, and all your applications (because the registry is blown away). You've spent all day and you've still got an unpached system - now what?.
OK, I have been informed by ZDNet columnist Josh Mehlman that a Windows patch can sometimes be backed out (A31). I doubt many system administrators feel comfortable that the uninstall for a patch that just screwed up their system works perfectly, so a reinstall is still prudent even if backout is available - and you still have an unpatched system.
Patched machines tend not to stay patched. Some patches and updates have negated previous patches, and every time you have to reinstall Windows, all the updates and patches have to be applied all over again. It's practically impossible to patch every machine on a large network anyway, yet just one unpatched machine can bring the whole network down. Here's more on patching problems.
So lets say your company has 8000 computers (or 8 for that matter). Do you have sufficient staff to keep up with all these patches and apply them to all your machines promptly, despite thedifficulties noted? I imagine not, and nor does any other company. System administrators are getting damned pissed at Microsoft calling them "lazy" every time a new worm goes wild, too.
The biggest problem with all this is patching doesn't work as an effective defense (A17). The best it can do is make things a little better, at considerable expense. Some security analysts consider the continuous cycle of difficult and unreliable patching more costly than the worms.
Microsoft announced patches for six more "Critical" vulnerabilities within four weeks of Blaster, and a couple of "Important" (almost critical) ones. Have you patched all your computers? Are you going to?
Administrators say they simply can't stand for much more of this nonsense (A14). Microsoft, in desperation, is turning to the idea of automatic patching, but this has plenty of problems of its own - aside from being in violation of U.S. banking law and the new HIPAA laws for the health care industry. Given the recent history of Microsoft's patches this would be a disaster on wheels.
Suppose one of your critical systems gets patched automatically and doesn't
boot or run your software any more and you don't know why. When you finally
figure it out, your first impulse might be to sue Microsoft for damages, but
the EULA you "signed" says they don't warrant their
software to work or to be "suitable for any purpose", and they've got a whole
pod of lawyers to back that up. The EULAs for Windows XP, 2000 SP2 and 2003
specifically allow them to enter your network and diddle your computers
without liability for damages.
Wouldn't Any Other System be as Vulnerable?
That's Microsoft's official line, but it isn't true. While every system is vulnerable to attack, the ease with which Windows systems can be compromised, the number of vulnerabilities, and the speed with which attacks can propagate are unique to Windows.
For a concrete example showing the defect in Microsoft's argument, look at Internet Web servers. The open source Apache Web server running primaily on open source Linux and BSD operating systems has more than twice the market share of Windows and IIS (Internet Information Server), yet it's the Microsoft products that have earned a reputation for poor security.
A recent Linux worm was listed as infecting "1 to 5 computers". A really bad Linux worm (Slasher) infected less than 6000 (vs. hundreds of thousands within hours for a typical Windows worm) and was easily eradicated (A8). BSD Unix servers have an even better record. There are millions of Linux and BSD computers fully exposed to the Internet - the Internet runs on them.
Let me be clear that other system can be made insecure through intent or stupidity. A prime example is "lowest cost" systems from WalMart running the Lindows version of Linux. Lindows imitates Windows "ease of use" by encouraging regular users to run as root - the worst security mistake you can possibly make on a Unix/Linux system. Even so, they're not as bad as Windows because they lack the "tight integration" and automation tools Windows comes with.
Security problems with Windows are legion, and many experts consider it too broken to fix, ever. Windows was created as a single user system unconnected to any network, never mind one as dangerous as the Internet. It was designed to be "feature rich" and "user friendly", fully integrating all computing functions "seamlessly", with no barriers. All the tools a worm or virus writer needs are included in Windows by default. More and more network functions continue to be integrated deeply into Windows (to lock out competitors) with few if any safeguards.
Microsoft completely ignored security until recently by their own admission, because "people wouldn't pay for it". The only reason they're paying lip service to it now is because it's become a major public relations problem. A system with this heritage can't be fixed retroactively, and exposing Windows computers to the Internet is not prudent.
Here's more on the reasons for Windows'
vulnerability, and more here (A2), and an
article from Security Focus (A33), and, to be
fair, a rebuttal from Sophos, a company who's income is derived entirely
from Windows vulnerabilities (A34)..
Danger Goes Far Beyond Your Computer
Dangers from connecting a Windows PC to the Internet go far beyond damage to the PC, theft of financial information including credit card and banking information and other obvious risks.
Take the case of Julian Green, who was recently acquitted in court on false charges of distributing child pornography. Mr. Green was arrested, hauled off to jail, lost custody of his daughter, lost his home, lost all standing in the community, and ran up huge legal fees in a 9 month battle to prove he was not guilty (A4).
Mr. Green was entirely unaware that a trojan program had concealed a library of illegal child pornography on his PC and was using his PC to make this content available for download on the Internet. Law enforcement tracked the content to Mr. Green's PC and hauled him off to jail. Given the current hysteria over child abuse, the law wasn't about to "let one get away".
Aside from hosting pornography and other dangerous content on the PCs of innocent people, worm delivered trojans are used to launch DDoS (Distributed Denial of Service) attacks and to relay spam (Unsolicited Commercial Email) so it looks like it came from your PC.
Yes, this can happen to you. Sure, I hear you, but Mr. Green didn't expect it to happen to him either. Please see the section How Can I Protect Myself for how you can minimize your risk.
Please be aware - worms and viruses are not the only conveyance by which
trojan and "back door" programs can be placed on your computer. Simply
browsing Web pages with Internet Explorer can do it if you visit an infected
site (A25), and the site owner may be completely
unaware his site has become infected.
Why It's Going to Get a Lot Worse
Eradicating worms and viruses, fixing the damage, updating antivirus programs, patching Windows and lost productivity from all of these costs businesses billions of dollars worldwide, Somehow, though, these expenses are never included by Microsoft in their "low TCO" (Total Cost of Ownership) calculations. On the other hand, these billions are a small fraction of the damage that could have been done, and of the potential for future damage.
The small extent of damage to date stems from the good will and/or incompetence of worm writers. For instance, whoever launched the Klez.H worm deliberately disarmed it's destructive potential before release or it could have cost orders of magnitude more. Whoever launched the Magistr worm included so many warning annoyances I've seen only one case where it was left to go to its destructive conclusion.
Many security experts are convinced what we have been seeing is mostly "proof of concept" runs and development tests - the real attacks are yet to come (A16). While some attacks still appear to be random acts by antisocial nerds, many show troubling evidence they are being devloped to cary some sort of payload or do specific covert tasks.
The SoBig series are quite evidently experiments in creating a distributed spam network to flood the Internet with unsolicited commercial email. Each iteration has been more sophisticated and more complete than the one before. There has been a marked increase in cross polination of ideas among worm writers, spammers and perpetrators of commercial scumware (A18).
The saving grace for Blaster and SoBig.F has been gross miscalculation by the worm writers. Both misjudeged how fast they would propagate, so both were timed to do their dirty work a week after launch when it should have been timed for about 2 days. Blaster was also configured to attack the wrong Microsoft site, so it was easily deflected.
The long trigger time allowed security firms to come up with effective countermeasures and antivirus publishers to update their products. Blaster was successfully deflected and the servers SoBig.F was to download trojan code from were effectively blocked. You can be sure worm writers will learn from these mistakes and not repeat them.
The Slammer Worm was completely unarmed, all it did was spread (A10). It didn't even permanently infect the machines, all you had to do was shut down and restart. As it was it slowed the Internet down to a crawl and shut it down completely in Korea, shut down many ATM machines, airline reservation services, the safty monitoring system for a nuclear reactor (A12), and other important systems. Suppose it had carried a destructive payload timed to go off in a couple of hours, what then? Will the next one?
The Blaster worm shut down CTX, the largest railroad system in the Eastern
U.S., for hours, crippled the new Navy/Marine Corps intranet
(A13), shut down Air Canada's check-in system,
closed Maryland's Department of Motor Vehicles for a day, and has been
implicated in the severety of the Northeast blackout
(A15). Suppose instead of launching a silly
misdirected denial of service attack, it had formatted hard disks. The
State Departments anti terrorist database was shut down for hours worldwide
by a worm on 23-Sep-03 (A30). Suppose it had been
a destructive worm? How safe do you feel?
How Can I Protect Myself?
The solution is glaringly obvious, but since you're convinced you can only run your business on Windows software, you have no choice but to apply Band-Aids.
Despite your best efforts you will likely be seriously infected sooner or later. It takes a couple of days for antivirus companies to analyze a new threat, invent countermeasures and get them downloaded to your computers (A23). During those days you are fully exposed. The Slammer worm infected nearly every vulnerable machine in the world (about 170,000) in 10 minutes (A9).
Securing your business takes time, money and vigilance - there's no "magic bullet" that does it all. You are exposed and your opponent is invisible - only a few bozos and script kiddies ever get caught (A19). Here are measures we recommend.
We use Command Antivirus ($24/year) for reasons of convenience. A free (for noncommercial use) antivirus (AVG) is available from GRISoft, and of course there are the "big names" everyone knows, like Norton and McAfee.
Here we sometimes get hundreds of virus infected emails a day, but we
run OS/2 so we just ignore them. There is simply nothing a Windows worm can
do to our computers.
- Andrew Grygus
- Automation Access
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their respective owners