Time was, a bug such as MS08-067 would have been devastating to the Windows community. Changes during the last several years pushed through by Microsoft and market developments may have seriously limited the potential damage.
When the great Windows worms of the
early part of this decade hit, they cut a huge swath through the Windows world.
Slammer, probably the most fascinating of them, did so within minutes of its
release. Blaster may have been the most damaging. And all of them were patched
some time before attacks were launched, months after in the case of Slammer.
Things are a little different now.
Patching is not the real difference; users are still perplexingly resistant
even to applying Automatic Updates. As Secunia says, "Users don't patch."
really means though is that they don't patch enough, but I'm sure there's a lot
more and faster patching going on than in past years, and that this improves steadily
The real difference is firewalls.
Probably all of these network worms would be blocked by a firewall, be it a
corporate Cisco Systems box, a Linksys router at home or Windows Firewall on by
default on XP Service Pack 2 and later versions of Windows. And that goes for MS08-067,
our latest wormable Windows vulnerability, this one in the Windows Server
. A system can be vulnerable in two ways: 1) The firewall can be
disabled, or 2) File and Print sharing can be enabled. In the latter case the
system becomes vulnerable to attack, but not from the whole world, just from
the networks on which you're sharing.
Back in 2005, when MS05-039
("Vulnerability in Plug and Play Could Allow Remote Code Execution and
Elevation of Privilege")
hit, Windows XP SP 2, with its better
firewall turned on by default, was only a year old and not all that widely
deployed. The world was full of systems vulnerable to remote network attack
with no user activity at all.
, the last great
Windows worm, was based on a
vulnerability in the LSASS service
that was disclosed before SP2 was
released in an environment in which very few stand-alone users had software
firewalls and fewer home users had router/firewalls. Even a stupidly written
worm such as Sasser had no trouble spreading like wildfire.
Today, there can't be many
businesses that aren't protected at the perimeter by a firewall that blocks
ports 139 and 445, the ports through which this attack travels. There are
plenty of users left without a hardware firewall, but by now the large majority
of them have a firewall by benefit of running XP SP2 or later, or a third-party
security product. As for the others, they must already be infected with a
hundred other things.
The other scenario where one can see
big problems is the roaming idiot scenario, where users on the road or at home
get their computer infected through unsafe practices, then bring the computer
into the office or connect using the VPN and infect others. Servers in
particular might be compromised this way because the user could be
authenticated on the server.
Another factor that would provide
proactive defense even for unpatched networks is the IPS.
There have been Snort definitions for this attack since at least Oct. 23, and
I'm sure any decent IPS would pick up on it. Some of the smarter ones might even
notice the aberrant behavior without definitions, and perhaps that's how the
targeted attacks were first noticed. It's a good argument for having an IPS
protecting not only the perimeter but to monitor internal traffic.
In a user base the size of Windows'
there are bound to be lots of users who are vulnerable, if only because of
carelessness. Even a small percentage is a large absolute number, and that
number will spread the attack, becoming part of the background of malicious
noise on the Internet.
A lot of people will be attacked
successfully through this vulnerability. Everyone should patch as quickly as
possible. Before I wrote a word about this threat I patched all my systems. The
vulnerability is clearly a real threat, even if it's not half the threat it
would have been a few years ago.
Security Center Editor Larry Seltzer has
worked in and written about the computer industry since 1983.
For insights on security coverage around the
Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack