Home > Privacy, Security > More Windows Trouble Ahead? More Windows Trouble Ahead? Submitted by danjr 2003-08-14 Privacy, Security 35 Comments Blaster winds down, but security experts predict more Windows trouble ahead. Some believe that a new attack is imminent. About The Author David Adams Follow me on Twitter @david_adams 35 Comments 2003-08-14 4:51 pm And it goes a little like this: “The good news is it looks like at the moment, it’s really calmed down. … The flip side is that it’s only Tuesday midday and there’s a really good chance that something else could creep up by the end of the week,” he said. In other words, let’s all feel the FUD. 2003-08-14 4:52 pm Even Miss Cleo could predict that! 2003-08-14 5:05 pm The sky is falling, the sky is falling! These bozos who want to keep you scared are spread it thick. “Nothing’s going on right now, but it might!” – chrish 2003-08-14 5:08 pm The more trouble Windows users get, the better. 2003-08-14 5:27 pm I’ve come to a point I don’t care anymore. Virus here, worm there, attack immenent etc … I just update my virusscanner every week and visit Windowsupdate now and then. P.S. I’m a Windows users (dual boot but Windows is my main OS). 2003-08-14 5:35 pm That’s why we call ’em experts. Just brilliant. 2003-08-14 5:42 pm I bet Mad Hatter is will be able to replace the dominace of Windows in the Office environments pretty easily. Its going to be damn cheap, with better security and easy to use 2003-08-14 5:46 pm I’d have to agree with some of the people above. This is becoming a common occurance. You’d think Microsoft would do something more drastic to stop these security flaws. I know they took 3 months off work just to work on security but it isn’t enough. They have some $46 billion why can’t they hire on a bunch more people just to work on security issues. Whatever they are doing about security it isn’t enough. This is why I don’t use Windows as my main OS anymore. On my mac there aren’t that many security issues. Same goes for Linux. I haven’t been hacked on windows yet but some of my friends have been infected, same goes for my parents pc. If microsoft is going to do nothing about these they should at least make it look like they are trying to solve these problems. 2003-08-14 5:58 pm Security through obscurity isn’t the answer, akumax. To be fair, I can pretty much bet if any platform had 90%+ market share, or equal ease of use, security would be a major problem for it as more stuff would be targeted for that platform, and the platform would be under increasing scrutiny by end-users. FYI Microsoft patched things well before they should have become problems this time. 2003-08-14 6:32 pm Microsoft did patch the security flaw way before it happened. I have xp and I didn’t get hit. I had updated my system when the updates come out. Thing is, most windows users don’t update. I came home from school in May and my parents computer was about 5 updates behind which I quickly fixed (concider that about a couple of months, because I updated it during Christmas break). And yes, Microsoft seems to have to many holes in it, seems like swiss cheese. If I look at my Mac Software Update, I see that I have 4 Secruity Updates, and one of them belongs to Internet Explorer, one to Stuffit Expander. There is also a combined update, which should have security updates in it but what I see is the 5 or 6 security updates a year in Mac to the 10+ per year in Windows. And the ones that happen in Windows are the ones that hackers target, because it is the most used desktop environment out there, and its easy to attack. And the worm is done spreading basically, but its main attack will happen this saturday I believe. So that is when we will find out if Microsoft can handle it (DoS attack on windows update that is). 2003-08-14 6:43 pm Excuse the rant of someone whose a been developing software professionally for 15 years For those who think that this is merely a Microsoft problem, you are sadly mistaken. The entire software development industry is in a sad state. Almost every development project I have every worked on is rushed. Quality of the code base is not as important as releasing quickly while spending very little time and money on design and quality assurance. We are a profession of hackers that generally do things half asked. Most of us do not have the training or desire to design and develop things properly. We, along with management rely on the latest and greatest tool/technology/methodology to solve our problems. We have accepted mediocrity. Buffer overflows are not exclusive to Microsoft. Most professional programmers are trained for classroom scenarios. How many C or C++ books actually use strncpy and _snprintf instead of their infamous counterparts? There are people that I have worked with who just don’t understand that any code that can be accessed from the network needs to designed and tested with that in mind. Unfortunately, even if the level of programmer skill were to increase management would be screaming to rush things out the door. The consumers of software have accepted the garbage that we build. And it seems that most of us are okay with it as well. And I have no time for those of us who proclaim that software engineering is harder than any other kind of engineering, and therefore poorer quality should be acceptable. 2003-08-14 6:44 pm I get an alert that a new update is ready to install on my work W2K machine almost every day. This is either a lot of updates or a buggy update system. Users don’t want to be bothered by this stuff. It’s rediculous that so much technical nonsense has to be made an issue for users. If the OS were properly designed, with security and stability in mind from the very beginning, far less of this crap would be going on right now. Microsoft can do nothing but react, unless they tear the OS apart and start over again, which would happen on the same day I win the 4 million dollar lottery (seeing as I don’t play, the odds are really stacked against me). It continues to be in Microsoft’s own interest to do as little as possible. There isn’t nearly enough anti-Microsoft sentiment in the business world to negatively affect them at this point. Plus, they continue to spin all the stories to their favor (even if we can see through it, most people can’t or choose not to look very deeply). The sky is falling… yeah… Point taken, Chris. FUD aside, I find it frightening that we have all become so desensitized to software that doesn’t work right and companies who offer zero responsibility and accept zero liability for their products. This is not a good thing. Maybe FUD against Microsoft’s products is in the best interests of end users? Maybe not. It’s not like they have any acceptable alternative. I now must go reboot this stupid Mac OS X system so that it can complete installation of another security patch. 2003-08-14 7:33 pm Really going out on a limb with that prediction arent they……. 2003-08-14 7:48 pm Goodbye blue sky………….. 2003-08-14 8:14 pm This is the best news i have had all day! Wonderful. Lets all hear it for more virii to come for MS drones. 2003-08-14 8:46 pm Ms holes are planned by programers of MS, the reason being, if they are fired, they can exploit this hole they have created, think about it, it does kind of make sense, if you were a bitter twisted person and got fired you’d want revenge, well with MS programmers perfect revenge is a hole in the Os Code, just make the hole so that the Os isnt affected in such away as to rise concern then wam bam thank you mam, the programmer is fired and then goes on a rampage trying to get revenge, hten he eventually gets bored and converts to Linux, to get more agrivated by its poor CLI with a GUI slapped on top, and its very apparent programmer lack of thought about trying to get rid of the Unix style CLI for desktop user, wow i want to type /root and a password every time i start linux up ,then sit and watch loads of driver syntax wiz past on my screen, at least windows does all tht in the background 2003-08-14 9:26 pm Just do it about once every 2 weeks … it takes about 5 minutes each time, 10 minutes total each month. This isn’t exactly a time-intensive process. 2003-08-14 9:47 pm They don’t hold their updates for every two weeks. They either click “Yes” or “No” when the auto update feature asks them if they want to update to protect against “security concerns.” Then they wait for the update to download. Then they wait for it to install. Then they reboot. If you have high-speed internet access, this helps, but it’s still too often and still requires rebooting more times than not. 2003-08-14 9:52 pm The simple fact is that Windows is far too complex and leaves too much crap running. Does the average user really need RPC interfaces and DCOM and ActiveX and all this crap that is just riddled with security flaws. Take a leaf from the OpenBSD community and keep it simple and properly audited. MS are so bogged down with crap they may never get rid of all the flaws. Personally i have all my machines at home sitting behind a Dlink broadband router which blocks all this crap so i have no problems. The scary part about this worm was that the user didnt even need to run a mail attachment to bring it on. It just attacks ports that are open on all NT based versions and goes from there. MS should really get a kick in the ass for this one. Its a shame the legal system is so pisspoor. My 2 cents 2003-08-14 9:52 pm Add to that, the updates for anti-virus software and other packages. And I differ with you about it not being a time intensive process. If you’re in the middle of working on something and an autoupdate encourages you to get the update, is your system still as responsive while doign this? (my OS X setup is NOT responsive when getting updates) Does it recommend you close all apps while doing the update? Sorry, but I don’t see this stuff as convenient or simple for anyone but techs who are conditioned to think that way by habit and training. 2003-08-14 10:38 pm “just do your updates, just patch your system” lets get this over with…. no system is secure. given. heck my mac had an update just today. but windows still has a worse security record than any other OS used by more than 3 people. ever. try doing it right the first try, and you have less to correct later. RPC? you need that running? please…. second, all systems have to get patched. again true. but even if MS didn’t have more patches a week than my other boxes have in 2 months, they are still failing. more than half the “patches” that MS hands out cause problems rather than solving them. that is pathetic. really pathetic. last, and i am sorry but this is true too, MS is paying for being an (illegal) monopoly. if we had a little more variation in the systems out there, these things wouldn’t hit as hard or be as damaging. yes, the other platforms would get hit more, but the total damage would be less. MS is the biggest trouble in the software world right now. bar none. 2003-08-14 11:59 pm Do techs have time to go out and ge trained on Linux or Mac OS X or even consider doing so when they’re inundated with questions about how to keep Windows from falling apart? No, and this constant preoccupation with the poor state of Windows is why Microsoft continues to produce such crap. It’s just good for business. As an example, my fiance and I recently built a new computer solely running Mandrake 9.1. We absolutely love it (even though the hardware is actually quite a bit older than the other box), but for the past two days it’s just been sitting next to the old computer idle because Windows 2000 decided to stop working on that machine and it’s taken several time-consuming reloads to get it back to a functional state. 2003-08-15 12:36 am Add to that, the updates for anti-virus software and other packages. Mine runs automagically in the background – does virus scans while I sleep. And I differ with you about it not being a time intensive process. If you’re in the middle of working on something and an autoupdate encourages you to get the update, is your system still as responsive while doign this? (my OS X setup is NOT responsive when getting updates) As I said, turn off the autoupdate. About once every couple of weeks or so, hit Windows Update and download any critical updates you see. Yes, I know some people won’t do this. Even people whom I’ve shown how to do this and make them aware that they will probably get nailed if they don’t still don’t do it. (Of course, most people DO do this, but some don’t.) Well, in that case, it’s their own damn fault. Anyone who is going to run an insecure OS and KNOWS the risks and how to avoid them should take the appropriate actions. If you want security, download and use Linux or one of the BSD’s. Otherwise, if you want the benefits that come with using Windows, you’ve got to take the necessary percautions. 2003-08-15 1:39 am If you can’t afford the time to update your win2k servers all the time, why aren’t you implementing local security policies and blocking all ports except those absolutely required? Its pretty simple to do, and any clown can operate the local security policy GUI if they understand port blocking. Regardless, if you run win2k server you are a fool not to use this, and anyone whining that their servers got taken out on port 135 needs to find a different profession. 2003-08-15 1:46 am At my office, our server also got infected by this Blaster. However, to me it not just only the MS fault totally because I didn’t agree with our IT administrator setup. He hired contractor to install the server that use Win2000 with IIS. The worst thing is that he use the same server for data management and as a proxy for our office to share broadband connection. Prior to the installation I did advise him to use different setup and even suggesting to use Unix OS. But since he just give a “blank stare” when I mention about Linux, *BSD, Solaris or AIX (we are using IBM hardware) I knew this is really “the best IT admin” we ever got. And here it is, the affected server combined with mostly 100% affected Windows desktop (not only by Blaster but also other viruses/worm). Luckily my desktop using Linux whereas the other mission critical server using QNX, SCO and Tru64. So the conclusion is that, this kind of IT administrator that stop learning will make whatever platform insecure. Luckily the IT unit didn’t involved much with the server system under my supervision (except borrowing our equipment and hardware when got other system crash), if not I’d better put dynamite with it. P/S:Maybe any of you expert out there can make a good money from our company since most of simple admin job are contracted out. 2003-08-15 3:11 am Sure, this is a nasty bug, but about as bad as it gets. And it was easy to prevent the problem if the individual user was paying attention. But pretending that this shows show how badly Microsoft sucks is just a nonsense. Because Linux sucks as well. I don’t care if you want to argue one way or the other about which one sucks more – they both suck – get over it. Pick your favourite distribution. Look at it’s security advisory list (if it doesn’t have an SA list you lose already). The list shows your distribution is full of problems, just like Windows. The solution is to apply patches. The people who don’t update their Windows desktop OS wouldn’t be patching their machines if they were all running Linux either. 2003-08-15 7:00 am I spent a considerable amount of time hardening the security on our network and I used a tool to find what files I needed to open up for a particular program that the added security prevented access too. Anyhoo, this logging program, Filemonitor, lists every process call and I found that it was very common to find buffer overflows during various calls to common Windows services. I also noticed when a call would fail from a buffer overflow, Windows simply tried again until it worked. I personally do not have what it takes to write an exploit for this stuff, but there seem to many opportunities if you know where to look. 2003-08-15 10:30 am I don’t use Windoze. No need to waste time update this and update that. No need to waste cpu cycles to run some stupid anti-virus software. 2003-08-15 10:58 am Last time I looked at google ( http://www.google.com/press/zeitgeist.html ), 32% of google users were still using 9X. And that’s part of the problem. Upgrading Windows is expensive if you want to play by the book. Even though everyone keeps telling me the security of XP is so much better, old versions are still around. Same with old versions of applications. Old applications are not aware of multiple users. They have the nasty habbit of writing configuration files all over the place and all over the registry, forcing users to give themselves Administrator rights. So much for security. Next problem. Microsoft relies on 3d parties for making device drivers. This means that 3d party code is running completely unprotected in kernel memory space. There is no way MS can control what that software does and if/when it breaks. All they can do is put a particular driver on a blacklist in case too much complaints are arriving. They call this a protection list: http://www.microsoft.com/whdc/hwdev/driver/drv_protect.mspx As you can see, only 2k and XP are “protected”, leaving 36% of the systems in use unprotected. 2003-08-15 12:45 pm >Last time I looked at google ( >http://www.google.com/press/zeitgeist.html ), 32% of google >users were still using 9X. >And that’s part of the problem. No thats not the problem, blaster only could attack PC’s with Windows 2000 and XP. I have 98SE too and I don’t want to have shit like XP and I can’t use it because my PC is to slow for XP. ——— sorry for my bad english 2003-08-15 9:45 pm “No thats not the problem, blaster only could attack PC’s with Windows 2000 and XP. I have 98SE too and I don’t want to have shit like XP and I can’t use it because my PC is to slow for XP.” I’m sorry, my reaction was not very clear. I was not talking about this specific problem. I was talking about what problems might lay ahead. Let me try to put it more clearly. 1. Given the fact that according to google more then 30% of the users still use 9X, we can conclude that MS software keeps being in use for a long time. This means that all the problems with 9X are nowhere near gone and also that the problems we are seeing now with 2K and XP are going to be with us for a long time to come. 2. Given the fact that a lot of computers were infected even though a patch was available for more then a month, we can conclude that lots of users are not patching their systems. 3. Given the fact that Windows relies for important parts on 3d party software, including drivers that run completely unprotected at kernel level, we can conclude that not even MS itself is able to debug and control a complete Windows system with all of its drivers and dlls. This means that when a vulnerability in a 3d party driver or dll is found by the wrong guy, he can do a lot of harm before anyone is able to react or even begin to fix the problem. 4. Given the fact that XP home runs with Administrator privileges by default and the difficulties and inconveniences that you experience when not running with Administrator privileges, we can conclude that a lot of users are running their windows systems with Administrator rights. This means that e-mail bourne virusses and trojan horse programs have complete control over many PC’s once they’re activated. So, we are basically faced with a whole lot of systems running outdated software, being not properly patched and being used with Administrator rights by default. And if that aint enough, nobody is able to debug the system. I’d say that’s not a question of _if_ but _when_ a real disaster strikes. 2003-08-15 10:05 pm “The people who don’t update their Windows desktop OS wouldn’t be patching their machines if they were all running Linux either.” So, somebody else has to do it. I see this happening in the near future. Open Source software development is much more efficient because of heavy reuse of existing, already debugged software. Given the speed with which countries like India and China are picking up Open Source development, it is quite likely that within let’s say 5-15 years a lot of software developers will loose their jobs and need to do something else. So, why not switch from programming to support? I figure computer maintainance will be much like car maintainance. You bring it to the garage every now and then and they will make sure the machine keeps in perfect condition. Nobody wants to crawl under their cars to fix it. Nobody wants to install programs of repair damages after a virus hit. So, there is a demand for delivering trouble-free computing and proper maintainance, and it has to be delivered locally. It’s just that someone has to jump into this new market at the right moment. 2003-08-16 3:59 am Format C: 2003-08-16 7:05 pm Over 95% of all computer users run WIndows yet only 30 or so comments concerning it poor track record in security…thats funny. However comment on Linux security or the Mac’s one button mouse and that other 95% is suddenly an expert on both. 2003-08-17 2:53 pm Security through obscurity isn’t the answer, akumax. To be fair, I can pretty much bet if any platform had 90%+ market share, or equal ease of use, security would be a major problem for it as more stuff would be targeted for that platform, and the platform would be under increasing scrutiny by end-users But if that was true, Apache should be a major target for vira and that is not the case (it is pretty much bug free). Windows being unsecure has nothing to do with its 90%+ market share. It is simply because its very easy to hit, because of very poor security design. Microsoft have never been concern about security until 18 months agoe. It will take many years for them to change that, which the last 18 month have proved.