Are We Ready for the Windows Server Worm?

By Larry Seltzer  |  Posted 2008-10-27 Print this article Print

Time was, a bug such as MS08-067 would have been devastating to the Windows community. Changes during the last several years pushed through by Microsoft and market developments may have seriously limited the potential damage.

When the great Windows worms of the early part of this decade hit, they cut a huge swath through the Windows world. Slammer, probably the most fascinating of them, did so within minutes of its release. Blaster may have been the most damaging. And all of them were patched some time before attacks were launched, months after in the case of Slammer.

Things are a little different now. Patching is not the real difference; users are still perplexingly resistant even to applying Automatic Updates. As Secunia says, "Users don't patch." What this really means though is that they don't patch enough, but I'm sure there's a lot more and faster patching going on than in past years, and that this improves steadily over time.

The real difference is firewalls. Probably all of these network worms would be blocked by a firewall, be it a corporate Cisco Systems box, a Linksys router at home or Windows Firewall on by default on XP Service Pack 2 and later versions of Windows. And that goes for MS08-067, our latest wormable Windows vulnerability, this one in the Windows Server service. A system can be vulnerable in two ways: 1) The firewall can be disabled, or 2) File and Print sharing can be enabled. In the latter case the system becomes vulnerable to attack, but not from the whole world, just from the networks on which you're sharing.

Back in 2005, when MS05-039 ("Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege") hit, Windows XP SP 2, with its better firewall turned on by default, was only a year old and not all that widely deployed. The world was full of systems vulnerable to remote network attack with no user activity at all.

Sasser, the last great Windows worm, was based on a vulnerability in the LSASS service that was disclosed before SP2 was released in an environment in which very few stand-alone users had software firewalls and fewer home users had router/firewalls. Even a stupidly written worm such as Sasser had no trouble spreading like wildfire.

Today, there can't be many businesses that aren't protected at the perimeter by a firewall that blocks ports 139 and 445, the ports through which this attack travels. There are plenty of users left without a hardware firewall, but by now the large majority of them have a firewall by benefit of running XP SP2 or later, or a third-party security product. As for the others, they must already be infected with a hundred other things.

The other scenario where one can see big problems is the roaming idiot scenario, where users on the road or at home get their computer infected through unsafe practices, then bring the computer into the office or connect using the VPN and infect others. Servers in particular might be compromised this way because the user could be authenticated on the server.

Another factor that would provide proactive defense even for unpatched networks is the IPS. There have been Snort definitions for this attack since at least Oct. 23, and I'm sure any decent IPS would pick up on it. Some of the smarter ones might even notice the aberrant behavior without definitions, and perhaps that's how the targeted attacks were first noticed. It's a good argument for having an IPS protecting not only the perimeter but to monitor internal traffic.

In a user base the size of Windows' there are bound to be lots of users who are vulnerable, if only because of carelessness. Even a small percentage is a large absolute number, and that number will spread the attack, becoming part of the background of malicious noise on the Internet.

A lot of people will be attacked successfully through this vulnerability. Everyone should patch as quickly as possible. Before I wrote a word about this threat I patched all my systems. The vulnerability is clearly a real threat, even if it's not half the threat it would have been a few years ago.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack 

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel