|
|
|
Are We Ready for the Windows Server Worm?
By: Larry Seltzer
2008-10-27
Article Rating:  / 6
There are 8 user comments on this Network Security & Hardware story.
Time was, a bug such as MS08-067 would have been devastating to the Windows community. Changes during the last several years pushed through by Microsoft and market developments may have seriously limited the potential damage.
When the great Windows worms of the
early part of this decade hit, they cut a huge swath through the Windows world.
Slammer, probably the most fascinating of them, did so within minutes of its
release. Blaster may have been the most damaging. And all of them were patched
some time before attacks were launched, months after in the case of Slammer.
Things are a little different now.
Patching is not the real difference; users are still perplexingly resistant
even to applying Automatic Updates. As Secunia says, "Users don't patch." What this
really means though is that they don't patch enough, but I'm sure there's a lot
more and faster patching going on than in past years, and that this improves steadily
over time.
The real difference is firewalls.
Probably all of these network worms would be blocked by a firewall, be it a
corporate Cisco Systems box, a Linksys router at home or Windows Firewall on by
default on XP Service Pack 2 and later versions of Windows. And that goes for MS08-067,
our latest wormable Windows vulnerability, this one in the Windows Server
service. A system can be vulnerable in two ways: 1) The firewall can be
disabled, or 2) File and Print sharing can be enabled. In the latter case the
system becomes vulnerable to attack, but not from the whole world, just from
the networks on which you're sharing.
Back in 2005, when MS05-039
("Vulnerability in Plug and Play Could Allow Remote Code Execution and
Elevation of Privilege") hit, Windows XP SP 2, with its better
firewall turned on by default, was only a year old and not all that widely
deployed. The world was full of systems vulnerable to remote network attack
with no user activity at all.
Sasser, the last great
Windows worm, was based on a
vulnerability in the LSASS service that was disclosed before SP2 was
released in an environment in which very few stand-alone users had software
firewalls and fewer home users had router/firewalls. Even a stupidly written
worm such as Sasser had no trouble spreading like wildfire.
Today, there can't be many
businesses that aren't protected at the perimeter by a firewall that blocks
ports 139 and 445, the ports through which this attack travels. There are
plenty of users left without a hardware firewall, but by now the large majority
of them have a firewall by benefit of running XP SP2 or later, or a third-party
security product. As for the others, they must already be infected with a
hundred other things.
The other scenario where one can see
big problems is the roaming idiot scenario, where users on the road or at home
get their computer infected through unsafe practices, then bring the computer
into the office or connect using the VPN and infect others. Servers in
particular might be compromised this way because the user could be
authenticated on the server.
Another factor that would provide
proactive defense even for unpatched networks is the IPS.
There have been Snort definitions for this attack since at least Oct. 23, and
I'm sure any decent IPS would pick up on it. Some of the smarter ones might even
notice the aberrant behavior without definitions, and perhaps that's how the
targeted attacks were first noticed. It's a good argument for having an IPS
protecting not only the perimeter but to monitor internal traffic.
In a user base the size of Windows
there are bound to be lots of users who are vulnerable, if only because of
carelessness. Even a small percentage is a large absolute number, and that
number will spread the attack, becoming part of the background of malicious
noise on the Internet.
A lot of people will be attacked
successfully through this vulnerability. Everyone should patch as quickly as
possible. Before I wrote a word about this threat I patched all my systems. The
vulnerability is clearly a real threat, even if it's not half the threat it
would have been a few years ago.
Security Center Editor Larry Seltzer has
worked in and written about the computer industry since 1983. For insights on security coverage around the
Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack
| | Reader Comments: Are We Ready for the Windows Server Worm? | | >>> Post your comment now!
| | What Windows Problems?All my problems with Windows went away when, I stopped using Windows. You'd have to be stupid to use Windows as a Server.... NetWare has a A2(the... Posted At: 10-28-08
By: Duke Nukem | | | | | | thousands?First, who has thousands of applications on a system?
In a big enterprise the easiest, if not completely safest, way to test is to roll out the... Posted At: 10-28-08
By: Larry Seltzer | | | | | | Sounds good, but..."Test then patch" is ideal, but at best burns up a lot of time. When there are hundreds, or thousands of applications on a system, and for many of... Posted At: 10-28-08
By: jth | | | | | | A user comment on this articleI have to agree with Larry about MS08-67 and that the impact will be limited because firewalls are more pervasive. Since most OSs now come with a... Posted At: 10-27-08
By: Kent | | | | | | in software?Paul,
Even in enterprises I'm sure that software firewalls are far more common than 5 years ago, if only because they come included and on by... Posted At: 10-27-08
By: Larry Seltzer | | | | | | no firewalls in 2003?I'm surprised that you think firewalls are more common now than they were in 2003. Stunned, even, unless we're talking home users. In the business... Posted At: 10-27-08
By: paul burrell | | | | | | When to patchI think you're overstating the problems from Microsoft patches. I follow this stuff pretty closely and it's a pretty rare event that patches cause... Posted At: 10-27-08
By: Larry Seltzer | | | | | | >>> Post your comment now! | | | | | |
|
 |
|
|
�������x}kw6�Dى"rdKnkڶ<=h)��S$l+'{Oo*�|AI~$ĶD��TP(�
��I"�f\:̢d���7郿O$w��m���L9UQ#C3W)9S]M�HwW3fcө�P/�a���᳑(,��v\'{�d�#B�=..Q^�Z�-G�Z�b'UƞͰ*{�� /�\1r.bL{yw4�ɿ�T��L=iT�VC��;&U!f�б�w8r��x08Jej-jfMM�yf��_%z�(s�w6O(�|@��ɠi!ZdQ=}9e��f42M�Y�j|X)qZ�*cgQ!`چ[={4q*sܼLO.Z((es~#�GA
f�mkh[N"ib�szu}qA�6ny��vtx//�YJM~c߁"0QYTi|/�Z@
��WP��uN.kzQҏZ-o[�KłR8.��dڱ�f1Sd!XI#/YTU9Df9O-Ҿoo:6OOn:3do̲5<�jP�~ 3�Je+��ԩZuܞn9n;WmuoHs!+|uf�!5�0\6:}Uo~�`Kk'ޮCǩEXCy�Cm0Mߑj~Ff=nI�?\tNIN,-��0io,Yn_H.)żT,>JAf��k��7
Jsi)"���:s�P;J}Nm҄j�
�9B���̼NR�49�Vϡ��蟉$W�m�4�@r1)6B̄H )w�t ~'�,)|Y�U��>�EtBAxu3
.+J�!"x^3ˌ"ȅ�Q.%
���Ć�> bO|૦yp1jY]6'tauIUis[��ӒKsqiH{v؆)�3�G#��вnZ��7MBr��R��CU95b�(7Z`Lm�,��5,L�tͬ ϳ`: i��vڔz?iS�OaΦfۉ9~��4$�AC66^lK�4}b���>'ݨä �p�p|g��0���sJ}+��j$
nh��-DCw
0Ieg&S yO��dro�oM~�(wEnP�j>X^0 j�p.Hp�yY?���@]q�k3B�7}��hNjkiiC���1).�%�2J}c�n.G))*I.B$(ZȻ�B�!A�lq���[$p�Xd�l+��_Fr)i�l�ry �g�r\B;7 ˥=*%�nqR%a 934YIjL=?꺾j1!U�G�,D`v9J,L��.�Y
ϴ��jԭe�RI9.��+5tLބhd&,a戡��uy=A�-��&)#
K8Y�f�s�p=7�c@C�ys{J`p=EiŬ9c߃ 9���xFvOM-
ݜ6,�'>!��&B~�`Z&4$
7q�9準I�RJ=""�ǰ@3�>`L)^HIRЙj!@�9z٧l�)>�?Ζu$֒e]T]۽/ 7�r@_�օV�P�� M��2L%
�A-ʘ�ŗZZG"��JM�P>�W�"�Cɣ($�me6L�?I�n�Py���{8`O�>7l{`(��*+'G,-3IV.(j<6k|�[�Y`C�aP�eܡQ@3$X�3Q��[�Җlx�u:.�CϱȗKs=: �-`q˱3 lTN�ϣ )a!��w1�Z�JoX�*,b3)
jMMlbs(zq�X0b=Iߛ�8]%W5f/��K+Y{yaؕRB�|vn�N �>(|pT'@�pdZ`0R7:4wҵj�)݃Y�L5̆RT$�P�/#Y%����Uȱ,!265{N`WK-KӞ�@�#�@:*C�ç�V�c"D8rj_(�cG�˟3z�>F�An?�%�hPjcfJf�M`�.8cJ�rEm�)*J%��)` L�` T<5&{;#
��F��7�G�\d����0!/�P��\QT1"sK��]@疪bd$ܔwт.�;|X�]Oұ@e�УC�jzq~ᇆ9,#_%h�ho?]HjZX6PQrVU㬰
3�*(Si|� |s`ޝ?S}`�1{r8
�`3�|xkm|`x䳋
,`�� |���"yj�ė�,9+�RL�[�'��ʂX�&
,$ה2h:p`w��y�@L��0E��C�f0!����LѦ9��<<+jZ�U
���B�f?6q~m�@Ls`&~^P؇^gm/R=�UښuZu"�KQ3�b�QD��iα�t;bG gBY�V~
q?ľP{XD&lڊ6͐*8e$Lb����R-�-e+z�JE晛>67.ý/d:|8'gkJ�}6Uk[; Uɭ6Zqd���F&оȣ�騫B9o�Dbk�>AΊ�5�Lӳ)
lk�Lk?y�Je�=M�X�\��DV;A�9da:9Afpu),��3% k@X;,vgf��2�)�y-0�ӥr�
3!e�E=�uyf3�9aؠGsHoR>1 Z�H${m%S�>�(5ufK)+J�,�P �i3FɁ㚺/k3O֧ny*
2��ỵV1#�e
46-.wEЋֶ7ui&!l؞MDo��)�hal�K[!uѼZC8n[58I,ko�KZ&�i@�5��4CdP;T%
5P�%,: ?��>w�d,j+�BGI}/�[&�IOS+f+
Cut�g\D@0|=�h��/$ΆRT(@�@lj%wW\(4��5��*G|@t0\�'
*�Zt?_ec�qo� �f�B�,
8I�Ÿڐ}dvnZ
ð
]a�孀7ۓUN~Rl|\/~v/71\dcx`&1AGԼ|:b<*�a��ݼ O=m48��Z&IE2D�t_��6�"B5��q7Y08x!>q!ɅHgk&�27��]?^Fh6e;�ºU�XȬE`�|PH2�&_1�ha��X��H��R
~tDӻh~�u�؋n/l D78��C*Q�W"R�Eh%I�A%ڧݛ&g
<@&9F�hDu~i\ER�}C�ϓ��g|!EY-Vy����=Na9�O$���s�z/uϏUUmSw��,_빿Aݞpney?�jw`�ts�q=շ�v*ϓ{~�\Azs��+ɭG�s�
unW8�gL5F�HK}ҼoHk�09iJs j�BGH|9zǿ|§ �� �{s�\�g伉�*ѻ^QW�{25Kt�ؗ{vO�n<�]1n鐧^glLcI"ɫj!_VPWdU)IW=YEǛ)G8����boڗ`@L6COf=K��f==4z=إ�%<�+~�CX}&
�~W*];z@qw~=Ҳ(�r_&ZDNqw5jyAJ\"~^]V�䑽D���XHڃ}
Fu�U��ms5O�x�����'Km;ww9w�Bf#A�VާA3�_�'3p65xf�V،ӂljQWj'��2+tױW, }l��~�9\`d�;6�\k>!�˨In�kK�h�xq"rjGS~
V�?j6�ۼ"SNM�y1eMJI!eZQ��K�qx���5�Eٶ泃�<}xjyḇnk�!��2He�� 'O4�eiE�"wP�Vfgð~f [noaD]GNJl<>:a�1G�d(,��S6Dr�&a!�9yQ�}8&1)cR6�ävq���]]�%��60U|+JCym�"e[PV�n{C@SI�y}N1frK��v�fb;lfYTe-fm��XѦL1�+҉j1�^�Ks�H3G#�00<�Y��&0sqbyeξ!MD,P('�P:��0lWo"E
z�!욏bg �'P]b� �.x]�+I8�D}y�7FܘA��xC.[�K�^+�ea�7j@�]��ӡ�?.�R1�4�z�%VKRP./���`� a�wBA;t%z={', o/r��/�kK>-�P�4@D)H|6\d�弰�aHTzo6"�&��_r@˯j᭕�ɑD�zPc?
7S;Q_X
�/{pllږb^ȅNЈ'
�R�3�ĝ�{㶒eH��k/sF3\aDPq� �:A}+VK�)xr-�
Z,%Ğ;�k��VuKIQ@/֣�+4֗s}oooorm^4�''鋥Ix=4(>"P`u �:~CH�%!aQ�*�ޯ�OjO]˙SX,\;`�h2A�@{]o١!�T_tE &Z|a$f����BB=:güUOꣷJ̾i((Ju=s!�GG%�Bx{<=�?̭vb�OG/xt;Y2j�ǪwG+j�-
�]c+[�j>QJx=̗NCI�5{g�Q
j�V��'b1j+y}_YVu{JqE2%8eG{��܂V�3P
FYrUҥ�&k�Y3L*Y5u ;cͳMw�ozO@"���G3
6h4w½k0Fxx9r�8\co۞Oz��k�'q jhP-?�_]{v�
H�F�iկZpR�LS`�q5C.^zK�\"ś�L<ŗA9rO|k�nfvS�"�&�^~v�(Cmi��C$&pP]}�z�Uc܅cVh\p�5Q�j=Au
>LAeFʼn?yx/]?B~0����O~
j~h!<:�&d\(�A�x8�n
=�=N�Vq8��o�dW'�|])K�E��+\N|l:.pjmۏo�3-�~學t {@R(�j��
`'��#|!IA��w���PYя TeQO^t�f�D*`w0%�a��?1ve1h}PR�
#=%1���{�c8*Gc8RG�o��V��AX���k".Tj�9��D�NE0�H�*]^|�e
~8�]�bɠ1=���^Tl&`�k 0w`"ΩTh�,vxTȥk�c.垅r\.he,zVdq2&�/ #zk�p5WHk̘xm4�vWٜ�AK5� �*Z!Ѥ�F�f
-Fo>A1�R9mfbfƆ[k�a�|y�c�ao=!vUզv𥝛 oJ�.қݝ�AfnDMd
f߭rg�%.@c,
*𲋄V]Ż�Э%=`sP=˂"ƺd#u��s{�rTUR5Ϛ#TXC'�:}�sl_d9_K>HP.$�_jwp�y g��+&�Z�8
�ziMUģX%1�g�`
+b^tw���msd�O�:0ڱ�J
r
ݛ��/RRmF��9v�ej۫u)���+K,~g�0̊�۲V�m5J�ۅ]�aiJ"%N'0�99l6��a��t KuScHG*%J}�z#r�U�c[q{Za��>*1XvtWOobD+ )�m3FwG#SOc+0h?b�ӘC �c
� �T�,6$Ae�Ѓ5T?�0мg
)V��5eqb+�Y75��/�U@D8AnKir�
�.|B`߄^> XPpӊ��]Q9T�B=}�F�d�>���hTLґu
`�< z̥7b{@�r
�q�,�Ye)+�փފ> rF@Yj$�$G���jD�l�" /�uh߶۟��rվ]M�=<�2�t�d-K�_�9a��p%,��36g<�9asH ](Lug�n0Os.}l3@^�!�&
mCcP��9Ĝ#M@wz}檧�*Ê\eaH��p=S�-0Șh
MQ VHxD�~1&gv+!"��L�s6@@P0H��73AT4
1шb����[36#&|逜},/uz���/5�c��Z|"�{X#&�3(ws�@bQ�I�F�'�@�3
"P�V:�
�G�(�^bJ z�I8�F�7,�(E>g�ٕa)豪�GcoS�wV7+�X[��z+i+����9##vFC�T)x@|
LBz،\�;�k4/
iv>No:N/x$
Zѷp+tԝsm}=^=\o:W\�|j5ۼV6�ideAήmf(�T{=\h���"�^ûHKvE Gcqq�^ AO|ӿ@)v�}Y
F/:��TNO!~պizljom9�
go:ٙ%/KN�#C|E@ЦoJ�c>sUN�{0�8���SD^}'ݫv�ԼVxy�xQ ?e�d@&pj3�r�Р(?g@�|Py}y'8/rN+��g:W�NF?rOPu}�Ȁ�]2c|.��/�e�|e�}/>�eU��y y(W�_}/�P~Q7([F%_f^e�U\]e_��O7CtAt35u�\C7?7��{��^�}~��X_�s�}/Yߗ��d�oʁo3�ڿh�6s$eCP̐5.N�pN2˹I�+/WAa uuQ~��@y�J
,c3\)��e{�5�[?[tOBX\jzr+z=k _P_xڞjpۭ]��hq_l %^a/TZE�/ޤ2q����SG0�%nsOkr>u"[~|^Y;yx߇���O��WY�-J�bġ�$Л�=+�C/O��u>O?t_�Ҿj^��=쓥̓>A7n"��B8�#wo0�d�H=�礏.ŁC�
;/�ZrfhNo4pƜ�{c����21Nrl(UJBIoR-W+俒�$2������z@t̕�D-Ȫ"+5W9 ط��PQ�˥*D`q9#��RB�4|O۴W)]74��y�Vi8�a�n%[z�"z5����xmE"z�+c@V7�/�tj^"_�v3:mc�(2��)��b��b�{ˈT`TlJx �Cqf�����|L:AÆoj/XbKZ;�c`��\;�=2�gj�Y }fy0\9Kh��]V=�ȾwF=C�k6%�gL=�[��^0\A�|#Lu�.LESzq�;K08��,_bY\�V�Y?g~ǭ�d<@,b)mԿc�rс:9�_$\$ǖ�]`>s��r:=b�G4yxa�w���./'�]C?y�
����o�
p4� }�ؖ`:}ꁴx3�#i�^jIcY61p&f\cɀ0���60>¾sĎ=���qfX|5h_z�}hd1]k��_$'1x_%05:$ˍDُӍ�g#3��B;/a�ܩ� �-f���)�.X˅-�~�뚅ӳLWm(bM]U]ݍ;S7'/Հ�&�_+$e:X3!?gwITÓȘ����b0OF>ಓH+�0S\�q/�7=Ah"v]!6
�R�Ň%?1�={dw}R7�9}0�D5a/,|Ŷ�/�G㿄&�Lܨ/���:�C�{)B9n3�O� X3Wd]d
�A_d|bOh6Mx�[o/TùLHd v"щwlPFK_`8��;�b{+|#e� Vi
v�E݉cE\c̈́�x{p�T\v�C�
>%�v�
U5v��=�׆"�2cX
=��xs4��J(�
km"�tZwkdY9Hr&z�U h$7=j"6��:
gKbwDZZ9=v��ļ�Kl�Mm�yDjc��~�EE�`A�]|e�D$ug�
�Eϩf����c����A&{gٺ*عKӘ2J1А8v2B�>ҼlQ%�76x��}�҄��O1S�u .Ы�v�l>cx Lw}��c*�C2z
l|$_Oxƪ~Saxr=&���gsx���m-I�S`i<�r:��`k��욧p�?�dtE��#b[p!@>pE֧2QTD
�Q)Yb���d휙/69�9jE '8"U];
6s6�Na^|˼+Aўx'�alhd%k^FHM`WH{!�]R>ŔK�
]'[٧3�й?-{��/���e;�?_��{ �QFb�fA�8utvKѪ
v�7"60ޏYw�PR�l@��xS
a�6�v�)E=b농\�v�QmQ-xaW�8~n`P���{z��wn}#\��:1V`]cc��Rd�GB L�n3m�^*?҂o/�Q\�F$30(�y��lH�9��m5g0X�1'(���R9(t>0 '�Ɣ
ϰ"�� sk29)��,�Sǝ��w;��k+[TcdX$֬=LE"�)s1�G���=��`5>gvC�%�z1�w�aX0�~v19�&Y)>�ٔ6�s�3a=�U`0M�Z�.<'�ȳ�(`,�Ev88)ҡCCԚB*>eS1C'@n0\|;H
d9[\O^م�4�3�\j�9/�YH~>����\9�9�.@OI"c؛b�����_yf/ȅ�^b\YG��7�XCt1^�b!gݫtּ\|=!���*`gq^v>!2D!6�xvyhEi{�CKxIǛ竖�h,)Z�M� $RVcEg0�]\}!l4Gn_����?iBPM�Gv�3�HZ�\֓CT+nu� o]��F'e1TU>\J�BS+$�WZ/�ͦG(� �wm&l2)v}ml-c6�C-�{�~}�(��
|
Network Security & Hardware 
