Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    August Patch Winds Fade

    By
    Larry Seltzer
    -
    August 16, 2005
    Share
    Facebook
    Twitter
    Linkedin

      At first glance, Microsofts August vulnerability and patch set seemed like a real killer set of vulnerabilities. One of them in particular, MS05-039 (Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege), caught attention as a “wormable” hole.

      Network-wormable vulnerabilities are the worst kind. They allow an attack to take place without any action on the part of the victim. They dont have to open an e-mail, run a program or do anything else proactive.

      The attack comes through a network communication to the system and exploits a vulnerability in the handling of the network data. The most famous examples from Windows history are Slammer, Blaster, and Sasser. To give you a sense of them, all of them are old, years old in some cases, and yet they continue to exist at a certain level in the background of the Internet, and may continue to exist for years. When they were in their heyday, they made the front page; everyone dropped everything else they were doing and dealt with these problems.

      And, indeed, it took about five days for MS05-039 to become “wormed.” Weve had the Zotob worms out since the weekend. But while there has been a lot of talk about the potential for mass damage, its all either fallacious or based on worst-case thinking. The fact is that MS05-039 really isnt all that big a deal.

      First, its important to review the differences in severity of MS05-039 depending on the operating system under attack:

      • Windows 2000

        : The vulnerability is remotely exploitable. Unpatched systems are vulnerable to Zotob and other attacks that come along.

      • Windows XP SP1

        : Remote users can attack the system, but only if they have a valid account on the system.

      • Windows XP SP2 and Windows Server 2003

        : Remote users can only exploit the vulnerability if they have a valid login and rights to log on locally.

      As Microsoft notes in the write-up, the attack can also be prevented by blocking TCP ports 139 and 445 at the firewall, and these are pretty standard and obvious ports to block at a firewall. The other mitigating factors are pretty clear once you think about them.

      With respect to Windows 2000 it is often said, and I think this is a fair assessment, that it is still popular in business. But it never had much traction in the consumer space, largely because it wasnt sold into that space. At the time Windows 2000 was most popular, Microsoft was selling consumers Windows ME which, for all its profound deficiencies, is not vulnerable to this particular problem.

      How many businesses do you think are around today running Windows 2000 with no firewall? Surely any such business already has their systems utterly compromised. Theyre probably the ones producing all that background Sasser and Blaster traffic. But the vast majority of businesses, including those who have done nothing more than place their systems behind a router, are protected against the known remote forms of this attack.

      So to go further, attackers either need to authenticate themselves on the system or get inside the network. The authentication route would probably involve a dictionary attack, which means that for each address it attempts to attack the worm needs to make hundreds or even thousands of guesses at username/password combinations, and probably would only try to guess at the administrator password. If the worm is able to do this then it will succeed, but its not an attack that is facilitated by MS05-039; its always been possible. I suspect its too conspicuous for an attacker to make potentially hundreds of connection attempts at the same target.

      The worm could attempt to get on the inside of the network through what are now well-known routes, most famously the unprotected notebook. A user with a notebook computer, probably Windows 2000-based, unpatched and with no personal firewall, takes it home for the weekend and connects it to their broadband connection where it is infected with Zotob or whatever. Monday morning they bring it back into the office, plug it in to the LAN and log in, thereafter infecting systems on the LAN because the firewall no longer protects them.

      This is a perfectly plausible scenario, but its not a recipe for widespread infection, and there have been products to protect against such infections for many years, and network access control systems such as Ciscos NAC can prevent unprotected notebooks from connecting to the LAN at all. Only an irresponsible company would get caught with its pants down in this way. And even if it did, it would still be unlikely that the Windows XP systems would be infected.

      Its a good 48 hours now after Zotob hit the Internet and the major AV companies have lowered its severity, at worst, to a rating of “interesting, but not much of a threat.” Even Panda, usually anxious to overstate matters, has the two Zotob worms at a 2 out of 5.

      So patch your systems, but dont miss your kids play in order to do it. Weve seen a lot worse than this in the past.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      More from Larry Seltzer

      Avatar
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×