> I'll grant your numbers, with the exception of
> 1%. 200 million Windows XP systems makes it a
> mathematical impossibility by my idea of the
> word "few" for there to be a few hundred million
> vulnerable XP boxen.

I actually wish I had more accurate marketshare statistics on XP versus the total Windows install base. Gartner/IDC type companies tend to have this, but we don't subscribe to these pay-for services. The number might be higher than 200 million XP installs; maybe 'several or a few hundred million' would have worked better than 'a few' in this case. Since most versions of Windows were vulnerable (but not necessarily exploitable as easily), 'few' seems close enough. If you have more accurate marketshare stats I'd love to see them.

> My sources put the number of boxen infected
> between 0.5% and 1%. When organizations like
> Symantec are saying "This percentage of our
> users have turned up infections", what they're
> actually citing (in most cases) are *INFECTION
> ATTEMPTS* that the AV blocked. Actual
> post-infection code (i.e., the downloaders'
> payloads) being picked up in combination is far > rarer.

I don't have access to the Symantec numbers, we operate pretty much independently. Some of the other A/V vendors didn't even catch the exploit with their software, some people don't even run A/V at all, and surely some percentage of people have expired or outdated A/V software that might have otherwise picked up the exploit. In light of this, the 1% number still seems low to me compared to the number of people known to surf porn/warez sites without knowing anything about security. I thought 1% was conservative. If I'm wrong, I'm happy to be wrong because many fewer people were compromised.

Since this exploit affected most versions of Windows (although XP is by far the most dominant) the numbers will still easily be in the millions, as even 0.5% of 400 million installs is quite a lot. Not all those exploit attempts would be successful, as you pointed out, so it's really hard to say.

>>"There are some great things happening in the
>> world of computers and networks, but today?s
>> Windows XP security response isn?t one of
>> them."
> Unwarranted, in my opinion. Microsoft took all
> of 9 days to patch this bug. That's better than
> expected, particularly from Redmond.

I was very happy to see that they broke out of their regularly scheduled patch cycle to issue the patch due to customer demand. That says a lot. When I wrote the article, the exploit had been out for a week and Microsoft's press release said it would be another week before a patch. Good for them to try and improve. Better than they first stated.

> As I continue, there's one difference I see in
> the case of Blaster versus WMF. Blaster affected
> computers. The WMF exploit still had a user
> component involved. The WMF 'sploit can't infect
> a box without a user sitting at it.

This is true, although many millions of people surf the Web and it's extremely easy to add the code to a web page. Additionally, Blaster did not have as big an impact inside corporations with strong border security; the WMF exploit, being user-driven, isn't affected by border security at all in most cases (except by a few good IDSs that saw it, for example).

> My biggest complaint about the rampant FUD in
> this piece is that you seem to think this
> vulnerability is uniquely bad, when in fact
> numerous others have been more severe in
> attack-surface coverage. This is particularly
> true of WMF, when the only OOTB-exploitable
> config was Windows XP.

Windows XP makes up about half of the entire install base. That's a large attack surface. As you know, most other versions of Windows were also vulnerability but not necessarily exploitable as easily.

The fact that it was zero-day means that it could have been out there for weeks or months before it was discovered. That's pretty powerful. I do think it is uniquely bad that just viewing an image with Explorer on your local machine can result in compromise. I do think it's uniquely bad how easily one can add the code to a webpage, and wait for the visitors. And most government, military, scientific, educational, and Fortune 500 companies run Windows XP, relying on strong border security with a soft underbelly that could be ripped open with a targetted WMF exploit. A little bit of social engineering would go a very long way to get inside some secure environments. Most viruses can be stopped at the border or gateway in comparison. This case was uniquely different in my opinion.

> Getting a user to click on a link is still
> harder than portscanning a networked system,
> which was the method used by Blaster, for
> instance.

Not necessarily. In a corporate environment, it's hard to get past the strong border but easy to send an email with a link to a harmless-looking website related to the company's business. Once inside a hacker can start port-scanning and reconnaissance.

> The funniest part is your appeal to readers to
> discuss workarounds. I, for one, *personally*
> discussed workarounds with members of the MSRC [...]

Discussion and communication on workarounds is often the best defense for all of us. That's why SecurityFocus exists. One of our major goals in 2006 at SecurityFocus is to involve the community more in contributions, discussions, and so on. Despite all the dissenting opinion, smart people can still share ideas and discuss workarounds - just as you did. We have a common goal in sight even if we disagree about the methods sometimes.

> You're free to say that millions have been
> infected all you want. However, that's a
> dangerous statement as there's not solid
> available proof it's true.

The proof come after-the-fact, just as we saw with Blaster - where most people dramatically underestimated the threat. I'll stand by my statement but also hope that I was indded wrong, because at the end of the day being wrong would mean that far fewer people were compromised. At the end of the day ballpark figures are never accurate but I believe the threat was there and we may never know the true numbers.

Since Microsoft admitted that customer pressure caused them to released the patch early, I'm very happy with the outcome and I don't mind the dissenting comments that spark debate.

>You're free to argue how much help Microsoft
>really needed, but what I think needs to happen
>is for those covering issues like this to
>reinforce the value of preemptive mitigation like
>DEP, limited accounts, etc.
>
> Incidentally, both of those shielded you from
> the in-the-wild malware.

I never felt the threat personally, but many laypeople don't know much about security and are completely clueless. I'm big on preemtive mitigation and I publish all the Infocus technical articles here. If you have some suggestions on technical articles you'd like to see, drop me an email and if they're useful to the community I will make it happen.

Thanks for your comments.

Best regards,

Kelly Martin

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/377/32940#32940