We all know about the recent virus that is floating around, the W32.Blaster.Worm. Obviously, this worm was major threat–Symantec raised it from a level 3 to a level 4. You can’t help but read about it on sites like osnews.com or Slashdot.com. But I noticed that one thing that seems to be missing a lot of times, at least with this latest worm. People don’t want to take the responsibility for updating their computers when the update was available a month ago.I’m not here to defend Microsoft in any way. Their code does have bugs in it. Furthermore, no operating system is perfect. Granted, as of right now, Linux, Mac OS X, and Novell seem to have a lot fewer issues. But let’s consider that Microsoft is the current OS leader both on desktop and server. And as such, they are going to be the main target of hackers and virus writers. However, as Linux usage increases it will begin to be targeted more frequently. With Linux, it may take the hackers a little longer to find security holes but they will find them.
Getting back to my point, this new worm isn’t 100% Microsoft’s fault. Yes, did their code have a bug that could be exploited, you bet. As usual, it has to do with a buffer overrun. But, Microsoft did catch it and posted an update for it a month ago. The original notice was posted on July 16th, 2003. So I just have to ask the question, “What was everyone doing when Microsoft posted the update?” Microsoft isn’t just posting these updates for its own enjoyment, even though some times you have to wonder.
At some point, especially in the case of businesses, you need to hold the administrators accountable for making sure their equipment is up to date. I know that network administration means providing support for a whole host of systems. But I’m sorry, part of a administrator’s responsibility is security and that includes updating the various systems as needed. Except with the case of services packs, most Microsoft updates can applied without any issues. I have always maintained that service packs need to be tested before rolling them out. If you are not using the automatic update service on every machine, you can use solutions like SUS that can handle the updates for you with more control. Simply put, when an update is available and you didn’t install it, don’t blame Microsoft. I, for one, don’t want to get busted by my boss because of a virus or an attack that was preventable. That’s what I get paid to do, be proactive, so my systems don’t go down.
Home users are another issue. Obviously, the lack of knowledge about applying updates to a computer must be considered. But let’s face it, as annoying as it can be at times, the automatic update service can handle these issues with very little input from the user. Except of course when the user turns it off. In the end, it’s their responsibility to deal with new updates too. Sadly, most users don’t take the time to improve their knowledge of computer basics. Like it or not Microsoft has to consider this issue which is why the automatic update service was created.
Lastly, let’s consider this, if and when Linux usage increases and becomes as big as Microsoft or bigger. These same issues are still going to apply. Users both in business and at home are still going to need to do updates as they become available. The operating systems may change but the administrative responsibility is still there.
Karl J. Sak is a (responsible) System Administrator
I thought that I was reading flame bait.
We do not update our systems for every Microsoft exploit. It is not due to negligence nor apathy. It is because many “hotfixes” break other software applications. Also, the legistics of distributing patches to a large number of computers is huge. With our UNIX clients we have a system called Proto that allows us to role out fixes and configuration changes instantly. One admin. can update +300 clients at a single time. There is not such mechanism for Windows unless you buy a very expensive management suite. The labor costs for managing and updating Windows is staggering. If we were to multiply that times every Windows exploit we would go out of business.
Finally, I disagree with your logic. Windows is not vulnerable because it is so prevelant. It is vulerable because it is poorly coded by people who for a very long time did not consider security to be important. By your logic Apache should be compromised all the time. It is the dominant web server. However, there has been only one root compromise that I know of and it was fixed years ago. Also, web servers are exposed to the Internet constantly? How do you explain that?
Regards,
Joe Kotran
Lead Systems Administrator
I live in India. Where Internet speed is very slow. Updates? Out of Question?
“By your logic Apache should be compromised all the time. ”
well, looking at zone-h.org, it seems that most attacks or on apache because there are more around
ZONE-H TODAYS VERIFIED ATTACKS
70 single IP
356 mass defacements
Linux (69.5)
Win NT9x (15.0)
Unknown (12.4)
FreeBSD (1.2)
Win 2000 (1.2)
(0.7)
though i agree with windows being attacked more because it’s more used, i would also think that windows budges a lot easier. So while attackers might concentrate on another system in the future, they won’t have it as easy as today’s win32 script kiddies
Well, as much as I’d like to throw the blame on Microsoft, you have a very valid point. However, you have to admit that it is a lot to ask for the average Windows user to check for updates every so often or to trust Microsoft’s Auto Update feature.
However, I would definitely be more likely to update my system if I didn’t have to stop doing what I was currently working on, close down all of the programs I’m using, and allow the system to update (usually one patch at a time) and reboot the system for every single patch.
In conclusion, I agree with you that it is the fault of the user if his or her system is not updated with the latest patches, but I can’t help but think that the Windows Update utility could be improved upon to encourage users to take advantage of it.
But Apache is a bad example. Apache is a very small and simple piece of software, while Windows is large and bloated. Linux is also large and bloated in comparison to Apache.
What we need is liability laws for software.
As soon as vendors become liable for the quality of their software you can bet the quality will improve rapidly. Then virii will have to become a lot smarter before they get in anywhere.
It applies to every other industry, why not computers as well?
You don’t hear of skyscrapers falling down very often, when they do it’s major news. We can build complex things without failure, why do we not do the same with software?
Users and Administrators are left to pick up the pieces while companies like (but not restricted to) Microsoft reap the rewards.
As of 5 August 2003, there are currently 21 unpatched vulnerabilities in Microsoft’s Internet Explorer OS components.
http://www.pivx.com/larholm/unpatched/
Including several serous vulnerabilities for which Microsoft has chosen not to relase an update to close the hole well past a year of the public discovery of the vulnerability.
In most cases Microsoft rush to put out a fix only when vulnerability is close to being actively exploited. Too often the updates have had inadequate deployment testing, breaking existing setups involving Microsoft own software, or more often, third party vendors software.
Performing an enterprise wide Microsoft update can be like playing Russian Roulette with a automatic pistol.
Also how many of Microsoft’s critical updates were for vulnerabilities discovered within Microsoft? Being “Trustworthy” requires that you should close and check your own doors and locks.
Quoth Joe: “It is not due to negligence nor apathy. It is because many ‘hotfixes’ break other software applications.”
Got it in one.
Users must weigh the risk of contracting the virus vs. borking their system up. And this counts for ANY operating system.
I don’t install any new OS update or patch on my machine until about 2 weeks after it comes out — let everybody else be the guinea pigs.
—
The last time I checked (a few days ago) there was *no* patch availlable for NT4 pt_BR and the english patch refused to install in a system with another language.
I completely agree with you. Having to shut down all open programs (including, and ESPECIALLY virus programs) is a huge inconvenience. I work at a computer shop, and once a computer leaves our shop to Joe User’s home it is never updated again. When SP1 for XP came out it destroyed many peoples windows, so it has been our policy to turn off automatic update and send a pamphlet on how to update manually with the computer. Of course, it never gets done, but even if auto update was enabled people would just hit “Remind me later” or whatever it is.
Of course, it’s not all bad. Generally we can salvage peoples data by physically removing their hard drive and putting it in a bay. It’s kind of a pain, but I think corporate people have much much more to lose from a worm. I guess that’s why big company’s have IT profressionals on the payroll, to head this kind of thing off at the pass.
http://zone-h.org/en/defacements
Almost all of them are Linux/Apache setups, as of 8/20. Curious. I wouldn’t have expected that.
[Thanks to dabooty for the link]
Users/admins are indeed responsible for keeping their computers up to date. I find it strange not to read anything about massive amounts of IT staff being fired… they should be imho.
A month should be plenty of time to test and roll out a patch on any number of computers (even if you’re slightly understaffed)
It’s true that sometimes MS patches break other stuff. That’s Microsoft’s fault. It looks like they test their patches as little as they do with their other products. I have no idea why people keep on accepting this… 🙂
Microsoft’s patches are way too big too. Who wants to download ~40mb (or how much is it to get xp up to date?) on a slow dailup link? These patches probably contain entire executables, not just binary diffs. Or does xp have that many problems?
And as Windows is pretty unscriptable, there’s no way to automate patch installation on a large number of hosts. Again, I don’t understand how people can even consider using Windows for a large installation when such an important feature is lacking…
I’ve never had any problems with patches (I run OpenBSD), and it’s almost trivial to write a script that rolls them out to any number of networked hosts. It gets even easier if they’re all the same arch. But, oh, I almost forgot, the system I use isn’t userfriendly… *rolls*eyes*
Almost all of them are Linux/Apache setups, as of 8/20. Curious. I wouldn’t have expected that.
You missed something. Those are not Apache (per se) defacements. They are defacements of php code included in vulnerable phpnuke portals.
Apache wasn’t compromised. The PHP portal that manages the dynamic pages was, though it’s often impossible to do something more than a defacement if the web server is safe (apache in this case, could be others)..
Your opinions are missing something. There was also a glitch in the microsoft update system that would tell users they were up to date, when they really weren’t. The glitch would update the user’s registry, and not apply the patch.
i would say that this is entirely microsofts fault, and that it seems to me that it is a pretty fundemental function; that should be pretty much near perfection..
I update my computer about once a week. Usually when I’m doing something else when it’s not an inconvienience for me. If you don’t want to patch because of the reboot issue, update when you’re doing something else, like eating dinner or watching TV.
I have yet to have a patch mess something up, but I’m not running specialized software either. Just good old off the shelf programs.
This was also a politically motivated attack. People aren’t going to spend their time coding viruses and hackes for programs they consider idealogically pure and just they’re going to spend their time trying to embarress programs considered evil. This whole situation is a very complex issue.
By the way, there’s a linux worm out. Check out http://www.nai.com
Anyway, I’ve spent last week and most of this week dealing with virus issues because the SysAdmin where I work is a die hard linux will cure everything zealot with a pathological hatred of microsoft. He actually told us that we weren’t to put patches on until it was clear we actually needed them, meaning after the fact. If we had put the patches on, it would have taken us about a day to touch every machine instead of the week plus of cleaning things up.
An once of prevention IS worth a pound of cure.
He actually told us that we weren’t to put patches on until it was clear we actually needed them, meaning after the fact.
You mean patches in windows boxes? Perhaps he had a point there. Certain upgrades from MS caused “collateral damages”, like some Service Pack in NT4 that screwed tcp/ip networking.
That’s why many windows admins prefer to wait for the upgrades to be extensively proven before applying them to production boxes.
Anyway, I’ve spent last week and most of this week dealing with virus issues because the SysAdmin where I work is a die hard linux will cure everything zealot with a pathological hatred of microsoft.
Sounds like a very smart man to me! Wish I worked for him! 🙂
Where I work at the helpdesk staff are leery of applying Windows updates for fear that it will break the apps or the OS. From talking to people this is a common concern.
Also the “Windows is being targeted because it has more marketshare” is only half true. Hackers target Windows because it is a paper house. Having 96%+ of the market doesn’t change the fact that it was not designed with security in mind. If Windows had 1% marketshare it would still be targeted and it would still be poorly designed security wise.
“Apache is a very small and simple piece of software, ”
The binary is 1.5 Megs in size. I don’t consider that “small and simple”. For a single program with no GUI, that is pretty big.
Is that Linux/DDos-Ferlect you’re referring to? That is not a worm, it is a Trojan. That means that it doesn’t replicate itself; it sits on a computer and cooperates to do a DDoS-attack.
The only way to get infected by this thing is by someone running the executable on the computer. That’s a *whole* other thing than auto-replicating viruses and worms.
Joe, I suggest you go look on google for PSTools in particular a tool called PSEXEC tie that command together with a small vbscript that pings a subnet and executes PSEXEC when it finds a machine. You can have all your machines that are on your network patched without leaving your seat. I had 400 odd machines patched in one hour.
It’s too easy to blame users for problems such as MS Blaster. While so many people rush to defend Microsoft’s products, Microsoft main website is being protected by a linux server since almost a week (according to Netcraft). My question is : if Microsoft executives are so interested in security, how come Windows doesn’t have a tool that would slow down DDOS attacks ? There are such programs for open source OSes. Are all Windows users (corporations included) supposed to hide behind a linux or BSD server ? What does it say about the purveyor of the OS itself ?
The Sun RPC code has been rife with vulnerabilities for years. Why didn’t Microsoft audited carefully their implementation all this time along ? Isn’t it that same company that hires thousands of (part time) programmers every year ? By the way, it was the Last Stage of Delirium Research Group that discovered the vulnerability, not some Microsoft employees.
Many guys, myself included, rant against Microsoft. Granted, our complaints can be easily dismissed. But what about those who possess the knowledge about operating systems and whose evaluation of Microsoft OS is : “they don’t care about either quality assurance or good design ?”
Do we have to dismiss these experts as lunatics too ?
The notion that there are lots of attacks against Windows because it’s too prevalent is bogus. Millions of people use Macs but I’ve yet to hear that some nasties propagated through the internet via an army of G4 zombies.
>> “People don’t want to take the responsibility for updating their computers…”
Well I did and many other people I know did. And I also know many other people didn’t. “People” is just too a vast generalization here. This is what corporations now want to use as an excuse for automatic updates. As far as I am concerned automatic updates can exist as far as they are not forced on the user if he/she chooses not to. And, it should be opt-in not “opt-out”. Sheesh.
Nicholas I hear what you are saying. However if it’s someone’s intent to compromise the structure of the “skyscraper” I don’t think you could necessarily hold the builder responsible just because they were successful.
I don’t know why on earth MS leaves all those ports open though.
I can understand lots of things, but this is not one of them:
Certain upgrades from MS caused “collateral damages”, like some Service Pack in NT4 that screwed tcp/ip networking.
Certain upgrades from Redhat also cause “collateral damages”, so what? This is the case for all Oses. If you buy products from Microsoft, then talk to them, tell them what you need. If they still don’t do it, they are going to lose customers. But they write poor code, they are evil type of arguments are stupid.
By the way, Dekkard, I quoted your words, but my reply is not against you, just that particular logic. What you say makes perfect sense. So you here refers to people who blindly says that patches break things up so they can’t apply them.
Also I am an XP user, I didn’t have this problem. I didn’t do much. Automatic update thing handled everything perfectly. However, obviously the current situation shows that there are still lots of things to be done. I view this current problem as a general challenge for everybody, not just Microsoft. I am sure Redhat and others will also learn from this experience. It is not just a Microsoft thing.
I have a 3-PC network running at home. All PCs use Win-XP.
I never download any patches from Microsoft. I have seen too many patches that don’t work or break other software.
Instead, I have a router with a firewall. I also have software firewalls and antivirus on each PC and I DO keep these up-to-date. I feel more secure this way and do not need to rely on Microsoft for security..