, 2006-01-04
A few hundred million Windows XP machines lay vulnerable on the Web today, a week after a zero-day exploit was discovered. Meanwhile, new approaches and ideas from the academic world - that focus exclusively on children - may give us hope for the future after all.
Expand all |
Post comment
Zero-day holiday
2006-01-04
Anonymous (2 replies)
Anonymous (2 replies)
Not a real solution
2006-01-05
Mike Warot (1 replies)
Mike Warot (1 replies)
Sorry about the delay in responding. I have to confess I'm mildly surprised by that. I'll commend you on that, as I know some of your colleagues in various positions at SF would have hit the Reject button.
I'll grant your numbers, with the exception of 1%. 200 million Windows XP systems makes it a mathematical impossibility by my idea of the word "few" for there to be a few hundred million vulnerable XP boxen.
My sources put the number of boxen infected between 0.5% and 1%. When organizations like Symantec are saying "This percentage of our users have turned up infections", what they're actually citing (in most cases) are *INFECTION ATTEMPTS* that the AV blocked. Actual post-infection code (i.e., the downloaders' payloads) being picked up in combination is far rarer. This is true of both my personal experience and the actual detection rates. Look at them, if you have access to them. I'd bet a meal on them painting the very picture I describe.
I haven't seen any published figure (other than the 1% figure) that has any air of accurately describing the real infection number (i.e., not counting AV-nabbed exploit code that never fired).
Further, there's a big difference between boxes that *have been compromised* and boxes that *are* compromised, and still further difference between boxes that are *already* compromised and boxes that are *being* compromised. Your wording implies that you expect to see millions attacked within moments either direction of the article being published. Even if I give you twenty fours both directions, that's not likely to equate to millions of victims. Particularly with the estimate of 1% yielding all of 4m victims in the first place, even if we assume all Windows PCs are infectable, which further drops to 2m for XP only.
But no matter...
"There are some great things happening in the world of computers and networks, but today?s Windows XP security response isn?t one of them."
Unwarranted, in my opinion. Microsoft took all of 9 days to patch this bug. That's better than expected, particularly from Redmond.
As I continue, there's one difference I see in the case of Blaster versus WMF. Blaster affected computers. The WMF exploit still had a user component involved. The WMF 'sploit can't infect a box without a user sitting at it.
My biggest complaint about the rampant FUD in this piece is that you seem to think this vulnerability is uniquely bad, when in fact numerous others have been more severe in attack-surface coverage. This is particularly true of WMF, when the only OOTB-exploitable config was Windows XP.
That said, let's go on:
"Incredibly, most of the world?s computers have been suddenly found vulnerable to massive data theft and criminal use when they reach out onto the Internet - ripe for exploitation with great ease, even by unskilled hackers."
The users versus computers debate is very material here. Most of the world was celebrating the holidays when the WMF vulnerability struck. Westerners were back at work for all of four days (12/27-12/30) after the exploit was known. Assuming that most of them didn't go back to work until 1/3, that ends up being a mitigation period of roughly seven business days. Further, most of the educational sector had a zero-business-day impact period +/- 1 day for some. That is, classes weren't going on, and most were closed.
In either case, this is a time range that would have allowed emergency, high-breakage mitigating measures such as disabling file downloads, or filtering metafiles by content with IDS signatures on inline filtering devices (which is exactly what I did to protect myself against the vulnerability).
"How simple this is to do on a web page or through email, here at the beginning of 2006, is just astonishing. While there have been many unpatched vulnerabilities for Windows over the years, some with effective exploits available, nothing quite reaches the magnitude of the situation we?re in today."
The thing about some of those other vulnerabilities is that there have been much easier exploit vectors. Getting a user to click on a link is still harder than portscanning a networked system, which was the method used by Blaster, for instance. Therefore, the ease of this attack isn't really remarkable, let alone astonishing. Nobody turned the MSIE JPEG vulnerabilities into anything, even though they required less work to exploit (you could render an infectious image inline). There have also been vulnerabilities (like the one I just cited) that had much wider default reach. Why didn't anybody say anything, for instance, about the devastation wrought by DOM? It isn't because those vulnerabilities were not as bad, it's because they weren't discovered (initially) in-the-wild. Clearly, JPEG/DOM were just as bad, and neither produced an exploit with any degree of devastation associated with it.
The reason this exploit was successful is because the information was controlled. The spyware writers had the upper-hand. 9 days seems like a long time to patch when there are people falling victim from day one. Had we seen the details of a vulnerability appear and then exploits developed and absorbed into the spy/adware communities, we're looking at a 7 day (or so) window, realistically.
The funniest part is your appeal to readers to discuss workarounds. I, for one, *personally* discussed workarounds with members of the MSRC, such as:
1. Block File Downloads in IE
2. Implement a "no attachments" or "no images" e-mail policy
3. Read e-mail in plain text
4. Aggressively filter links from IMs
5. Include IDS signatures blocking the specific record or WMF content as a whole.
6. DEP
7. Limited Accounts
#6 and #7 are considered best practice. #7, in particular, is implemented on MANY corporate workstations and even laptops. That's one thing on your side with WMF that wasn't with blaster.
#5 is addressed in a roundabout way by guidance on AV/IDS.
#4 is actually implemented at microsoft.com, but is done via a product that is not yet to RTM, AFAIK.
#3 was strongly encouraged by MS.
#1/#2 were high-breakage, last-ditch solutions.
I was perfectly happy with my defense having only a good inline filter and a limited account. There may not have been as many workarounds, but there were a great deal more mitigators than with RPC DCOM. With that vulnerability, if you had it unpatched (on Windows 2000/XP), you were, more or less, hosed.
You're free to say that millions have been infected all you want. However, that's a dangerous statement as there's not solid available proof it's true. But to say that millions are being infected as-we-speak is overboard. You go further off the deep end by saying that this vulnerability is exceptionally severe vis-a-vis other criticals like RPC/DCOM. It appears, when you make statements like that, that you lack understanding of what types of vulnerabilities tend to spawn larger infections. A system-to-system vulnerability like RPC/DCOM makes for an easier, more effective, faster-spreading infection than a WMF bug, anyday of the week. Even on the client-side, we've had more serious incidents than this one (which required you to download a file by clicking a link, as opposed to merely reading e-mail or viewing inline images).
You're free to argue how much help Microsoft really needed, but what I think needs to happen is for those covering issues like this to reinforce the value of preemptive mitigation like DEP, limited accounts, etc.
Incidentally, both of those shielded you from the in-the-wild malware.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/377/32905#32905