While it was snarling corporate networks and causing headaches for IT staffs, the Blaster worm that tore through the Internet last week also appears to have burned up much of the goodwill Microsoft Corp. was beginning to accumulate in the security community.
Widespread problems with the Blaster patch, issues with the Microsoft-supplied workaround, and a general dissatisfaction with the way the vendor handles updates have led administrators and security experts to lay much of the blame for the worm at Microsofts feet.
Blaster, which hit the Internet last week, infects PCs running Windows 2000 or XP by initiating a TCP session on one of several ports. It then connects to a remote TFTP server, downloads the actual binary containing the worm and then begins scanning the Internet for other vulnerable machines. The worm is also set to launch a DDOS attack against the Windows Update site Aug. 16.
As far back as the Code Red worm in 2001 and as recently as the Slammer outbreak in January, IT personnel were more apt to take some blame for failing to apply available patches. But all that has changed as admins tire of the criticism and of having to clean up vendors problems.
“There is no good way to know whether every machine on a network is patched. At one point, you couldnt install the patch on Windows 2000 Service Pack 2,” said Paul Schmehl, adjunct information security officer at the University of Texas at Dallas, which was hit hard by Blaster. “There are myriad reasons for these things, and almost none of them fall into the category of laziness or incompetence. Those who criticize admins in these circumstances either have no experience in a corporate network or are fortunate enough to be in one that has enough money to fund expensive solutions to these problems.”
Schmehl said he also believes that Microsoft has a responsibility to build into Windows a patch discovery and delivery tool that would give IT staffs a head start on keeping their networks updated. “The only way its going to happen is automation,” he said. “Microsoft should provide this free.”
Through its Trustworthy Computing initiative, Microsoft has spent much of the last 18 months focusing on security in its products. The effort has drawn praise from around the industry, but the problems brought on by Blaster have set the companys security image back years.
Officials at Microsoft, in Redmond, Wash., have acknowledged the problems with their patching infrastructure, but say that there is only so much the company can do to encourage customers to install the fixes.
“Our best advice is still to install the patch when it comes out,” said Stephen Toulouse, security program manager at the Microsoft Security Response Center.
But getting the Blaster patch has been a problem. Users report that the Windows Update site was unreachable for long periods as millions scrambled to download the patch. The mad dash to patch so many machines exacerbated long-simmering problems with the variety of Microsoft tools users employ to check patch levels. The Microsoft Baseline Security Analyzer and the Windows Update site are often unclear about whether certain patches have been applied.
“Between MBSA and Windows Update, you have to watch the files version for yourself, it seems,” said Mark Deason, director of IT at Silverside Equipment Inc., in Reno, Nev. “Ive been doing this for a while, so Ive seen the promise and the delivery. Microsoft is really getting better. Unfortunately, the current reality of patches and patching systems is disruptive to systems and personnel, especially when delivery is faulty.”
And, for users who couldnt get the software fix, Microsoft recommended a workaround of disabling the RPC DCOM (Distributed Component Object Model), the interface that Blaster exploits. However, that method doesnt work on machines running Windows 2000 Service Pack 1 or 2, which also led to confusion and anger.
“[Microsoft] messed this up,” said Marc Maiffret, chief hacking officer at eEye Digital Security Inc., in Also Viejo, Calif. “We told them about it [before the worm appeared].”
On top of these problems is even more frustration for Windows XP users. When the RPC service in XP fails, as it does during a Blaster attack, the default response is for the machine to reboot. So, XP machines infected by Blaster are forced into a continuous reboot cycle that is difficult to stop long enough to clean and patch. The reboot response can be changed manually, but most home users and many corporate users arent confident enough to make such a modification.
“Most of the calls weve gotten have been from XP users whose machines are failing right in front of them,” said Art Manion, Internet security analyst at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. “They dont know how to get out of that reboot loop.”