Re: 10 minutes to Sasser?
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 05/04/04
- Next message: anonymous_at_discussions.microsoft.com: "Most Excelent"
- Previous message: Bob: "Sasser worm"
- In reply to: Robert Moir: "Re: 10 minutes to Sasser?"
- Next in thread: Karl Levinson [x y] mvp: "Re: 10 minutes to Sasser?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 04 May 2004 22:12:17 +0200
On Mon, 3 May 2004 22:31:14 +0100, "Robert Moir" <bofh@mvps.org>
>octavius schmalz wrote:
>> I just heard on the news that if you connect a new computer to the
>> internet, you will be infected with the Sasser worm within 10 minutes.
Or Lovesan/Blaster or any of the RPC infectors, unless whoever set up
the PC applied the RPC patch.
>> By new, I am surmising that it is a MS-based PC and doesn't have the
>> latest MS patches or the latest AV data updates.
It has no av, let alone av updates. Then again, av is not a front
line defence for direct network attacks.
>> If this 10 minute figure is true, how can we expect anyone to not
>> have the virus?
>The patches concerned were released some time before the worm.
This time. About 2 weeks before, in fact - by which time, stock has
left the factory and is in the bulk reseller's warehouse or shop
floor. Even if you postulate builders and distributors patch on exit
(hah!) there'd be vulnerable PCs out there.
RPC defect went undetected for years, from at least the original NT
4.0 through to XP. Then the attacks broke out a month after the
patch. This time it's two weeks after the patch.
One of these days, there will be a negative lead time between exploit
and discovery, let alone exploit and patch.
>> There needs to be a better way.
Yes, there does; it's called "risk management". The clue is coming,
but slowly, though some of us have risk-managed Windows beyond the
duhfault settings since 1995.
>> Are the virus makers winning the war?
>> It seems so.
>Yes. Perhaps its about time to ask your ISP to firewall your internet
>connection for you, and to be proactive in disconnecting infected PCs
>logging into its network. If every ISP did this then you would see far less
>of this sort of nonsense.
It's been said before, and it's still true... the problem here is that
MS just doesn't "get" the Internet. Yes, technically it's just
another TCP/IP network, but practically it is NOT the same.
A big corporate network has inclusion rules and professional
administration. The Internet is the world. What is sensible for the
first is madness for the second - having stand-alone PCs waving ports
at the 'net in case some passing system wants to play around.
XP Home is supposed to be a consumer OS for stand-alone PCs, which
means you'd expect it to have enough clue not to allow outside systems
(i.e. IP addresses outside the private ranges) to access ports etc.
But the whole approach to Windows has been "server" and "client".
There's no sense that a third category - stand-alone PCs that consume
"the Internet" but are not servers on it - exists. Basically, what
has happened is that MS has dropped an OS written for
professionally-administered corporate networks, and has dropped it
as-is into a consumerland that now happens to bristle with broadband.
Hence hidden admin shares that expose the startup axis, a Remote
Procedure Call service that can't be separated from internal
inter-application communications and disabled, etc.
Computers are now sufficiently complex that we should stop considering
them to be fully deterministic. It's not enough to *intend* that a
million lines of code can pick up alien incoming material, toss it
about, tease it apart, and let it automate the system - all the while
not getting to run as raw code, stray outside zone or account rights
boundries, and so on. In practice, these "security" sfaeguards leak;
the more code handles this stuff, the more likely it WILL screw up.
The above paragraph is a few hundred bytes of English, and there's at
least one error in it. Include entropy within your estimations!
The lessons are:
- ANY code that handles incoming material may accidentally run it
- unpatched PCs will *always* be with us
- so make sure that you can live with what you ship on CD
In my letterbox today was an advert card from MS boasting about how XP
is "more secure" than Win98. Talk about great moments in bad timing!
>-------------------- ----- ---- --- -- - - - -
Trsut me, I won't make a mistake!
>-------------------- ----- ---- --- -- - - - -
- Next message: anonymous_at_discussions.microsoft.com: "Most Excelent"
- Previous message: Bob: "Sasser worm"
- In reply to: Robert Moir: "Re: 10 minutes to Sasser?"
- Next in thread: Karl Levinson [x y] mvp: "Re: 10 minutes to Sasser?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
