Blasters Near Miss and an Apology From Microsoft

Blaster may or may not be the worm that almost ate the computing world, and there's still hot spots of variant activity. Along with an examination of Blaster's aftermath, Security Supersite Editor Larry Seltzer passes on Microsoft's apology for mishandlin

When it rains it pours. Just as IT managers and other security response personnel seemed to turn the corner on the Blaster worm (a k a LoveSAN), the issue became moot for many of us here in the Northeast as our computers shut down for lack of power. Many are still juiceless days later. But like the blackout, Blaster was a bad situation that could have been a whole lot worse and on Monday morning we can take a long look at both and breath a sign of relief. The point where Blaster lost was Friday when Microsoft pre-empted the worms scheduled denial of service attack on the Windows Update site. As with several other details in its design, the hacker didnt write the worm as well as it could have been, which either slowed its progress or blunted its impact. For example, the planned DOS attack was to be on the address windowsupdate.com. However, windowsupdate.com was never the main name used for the site but is just a redirector point to the real address: windowsupdate.microsoft.com. All Microsoft had to do was to remove windowsupdate.com from DNS and it pre-empted the worms attack. Now theres always the chance that the next worm will try to launch a DOS attack on the right address, but that was always a possibility. Besides, the next worm wont likely have as great a penetration because so many more users have by now--hopefully--applied the patch.

Meanwhile, the worm is still alive, although not as hot as it used to be. Even the .B and .C variants of the worm dont seem to be causing much of a stink. However, you should be on the lookout for a new Trojan horse e-mail that purports to contain a patch to block the worm.

Speaking of Microsoft patches, as I described in a recent column, during the run-up to the Blaster worm attack, Microsoft went on a security notification blitz. It seems that at least one of the messages released was sent on contract by Digital Impact, a company with shady credentials among those of us dealing with spam. A Microsoft spokesperson responded to my complaint:

In an effort to encourage customers to install the critical patch associated with Microsoft Security bulletin MS03-026, Microsoft contracted a third party to manage the logistics of distributing an e-mail advisory. The timing of the e-mail coincided with a hoax Microsoft e-mail in circulation. While we continue to believe that taking additional action to promote patch application was the correct decision, we understand that the tactic was poorly executed and we are reevaluating our policies regarding the use of third parties to disseminate security information.

Now, Im not sure what the part about the "hoax" e-mail means, but overall it sounds contrite to me, and a good thing. In another step towards clarity, the Web site at email.microsoft.com no longer reads like a marketing-gobbledygook promo for Digital Impact. Instead, it offers a prominent link to a simple opt-out form.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer