Code Red Is Old Hat, If Youve Kept Your Head Out of the Sand

By eweek  |  Posted 2001-08-20

Unless youve been hiding under a rock for the past few weeks, youve probably heard all you ever wanted to know about the so-called "Code Red" crisis thats been clogging networks worldwide since its discovery on July 19.

Indeed, "Code Red" has joined that tiny fraction of a percent of all network security issues that has penetrated the consciousness of the general public, showing up in nightly newscasts and national papers.

The security community is, quite frankly, sick and tired of the whole thing. And with the discovery Aug. 3 of the first of what is likely to be a whole generation of Code Red offspring (creatively dubbed "Code Red II"), its unclear when the hubbub about this security threat is likely to die down.

Given all of the media attention and purported damage—at least one estimate places the cost of Code Red at $1.2 billion, though I have my doubts about that figure—one would assume that this crisis represents a new technology, a new attack approach, a new threat. In fact, there is absolutely nothing new here. The threat posed by the likes of Code Red has been around for more than a decade.

Code Red is one of a class of attack tools known as "worms," which spread without human intervention. Though worms have become increasingly popular in recent months, they are hardly a revelation to the security community; in many ways Code Red was almost identical to the "Morris" worm, which crippled the nascent Internet back in 1988. The worm, written by Cornell University graduate student Robert T. Morris, was a 99-line program written to infiltrate Digital VAX and Sun 3 Systems.

By contrast, Code Red used a flaw in Microsofts Internet Information Server to hijack targeted servers. The flaw is new and unusually severe, but by no means unique or unexpected. Indeed, the type of error involved—known as a "buffer overflow"—has been at the heart of security vulnerabilities for as long as weve had a concept of computer security, and it was the basis for one of the attacks the Morris worm used.

It shouldnt come as a surprise, then, that the best available defense against Code Red is news to no one. Every systems administrator and security consultant worth the title knows that regular application of software patches to fix known bugs is an absolute requirement for network security. A month before Code Red was released in the wild, Microsoft issued a software patch that blocked it.

And yet, by some counts, Code Red infected nearly 400,000 machines. Ouch!

The recent wave of worms is taking advantage of an old problem that we have largely ignored, hoping that it would just go away. We accept that the software we rely on is full of bugs and count on sysadmins to patch them as they pop up.

As a result, sysadmins face a constant flood of new patches, many of which have their own bugs and break existing functionality. We continue to demand new features—with their new bugs—while giving sysadmins a fraction of the security resources they need.

With the Code Red media circus still ringing in our ears, Code Red II used the exact same vulnerability to compromise an estimated 400,000 unpatched servers in its first three days. The problem is not going away.

Rocket Fuel