When the great Windows worms of the early part of this decade hit, they cut a huge swath through the Windows world. Slammer, probably the most fascinating of them, did so within minutes of its release. Blaster may have been the most damaging. And all of them were patched some time before attacks were launched, months after in the case of Slammer.
Things are a little different now. Patching is not the real difference; users are still perplexingly resistant even to applying Automatic Updates. As Secunia says, “Users don’t patch.” What this really means though is that they don’t patch enough, but I’m sure there’s a lot more and faster patching going on than in past years, and that this improves steadily over time.
The real difference is firewalls. Probably all of these network worms would be blocked by a firewall, be it a corporate Cisco Systems box, a Linksys router at home or Windows Firewall on by default on XP Service Pack 2 and later versions of Windows. And that goes for MS08-067, our latest wormable Windows vulnerability, this one in the Windows Server service. A system can be vulnerable in two ways: 1) The firewall can be disabled, or 2) File and Print sharing can be enabled. In the latter case the system becomes vulnerable to attack, but not from the whole world, just from the networks on which you’re sharing.
Back in 2005, when MS05-039 (“Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege”) hit, Windows XP SP 2, with its better firewall turned on by default, was only a year old and not all that widely deployed. The world was full of systems vulnerable to remote network attack with no user activity at all.
Sasser, the last great Windows worm, was based on a vulnerability in the LSASS service that was disclosed before SP2 was released in an environment in which very few stand-alone users had software firewalls and fewer home users had router/firewalls. Even a stupidly written worm such as Sasser had no trouble spreading like wildfire.
Today, there can’t be many businesses that aren’t protected at the perimeter by a firewall that blocks ports 139 and 445, the ports through which this attack travels. There are plenty of users left without a hardware firewall, but by now the large majority of them have a firewall by benefit of running XP SP2 or later, or a third-party security product. As for the others, they must already be infected with a hundred other things.
The other scenario where one can see big problems is the roaming idiot scenario, where users on the road or at home get their computer infected through unsafe practices, then bring the computer into the office or connect using the VPN and infect others. Servers in particular might be compromised this way because the user could be authenticated on the server.
Another factor that would provide proactive defense even for unpatched networks is the IPS. There have been Snort definitions for this attack since at least Oct. 23, and I’m sure any decent IPS would pick up on it. Some of the smarter ones might even notice the aberrant behavior without definitions, and perhaps that’s how the targeted attacks were first noticed. It’s a good argument for having an IPS protecting not only the perimeter but to monitor internal traffic.
In a user base the size of Windows’ there are bound to be lots of users who are vulnerable, if only because of carelessness. Even a small percentage is a large absolute number, and that number will spread the attack, becoming part of the background of malicious noise on the Internet.
A lot of people will be attacked successfully through this vulnerability. Everyone should patch as quickly as possible. Before I wrote a word about this threat I patched all my systems. The vulnerability is clearly a real threat, even if it’s not half the threat it would have been a few years ago.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack