[ISN] Windows to remain security risk for years to come

Thu Apr 8 10:13:01 EDT 2004

http://www.computerworld.com/securitytopics/security/story/0,10801,92013,00.html

News Story by Matthew Broersma
APRIL 07, 2004 (TECHWORLD.COM)  

LONDON -- Microsoft Corp.'s efforts to limit the ongoing damage from
worms such as Blaster will not pay off for several years, according to
security experts.

New Windows PCs will begin shipping with security switched on by
default for the first time, with the release of Windows XP Service
Pack 2 this summer, but it will take five or six years before such
basic protections are common on the installed base of PCs, according
to a Symantec Corp. executive.

Such unprotected PCs are increasingly being used to spread worms such
as Blaster and junk e-mail, usually without the PC owner's knowledge;  
a recent Symantec survey found that a system will, on average, receive
a Blaster-generated packet of data within one second of connecting to
the Internet.

"The threat will reduce slowly as we start to have security more
widespread," Nigel Beighton, Symantec's director of community defense,
said. "The industry has learned it has to ship technology with
security switched on. But right now there are millions of Windows 98
users still out there, there is still a huge number of legacy PCs
around, and it will take five or six years for that situation to
change."

Last week, Microsoft revealed that the various flavors of the Blaster
worm had infected at least 8 million PCs since it first appeared in
August, based on data from its Windows Update. Security experts say
the company is doing the right thing by making Windows PCs secure by
default, but say such steps are only a beginning.

A major problem contributing to the ongoing spread of Blaster, Welchia
and similar worms is that new PCs are still shipped with the flaws
that allow them to spread, such as the Remote Procedure Call (RPC)  
flaw exploited by Blaster, analysts said.

"The Microsoft operating system ships unpatched," said Thomas
Kristensen, CTO of security firm Secunia. "If you go online with a
broadband or dial-up connection to get the security updates, it's
possible for Blaster to attack and infect your machine."

One solution would be for Microsoft or system manufacturers to add the
security patches before selling a machine, but the decentralized,
commodified nature of the PC industry would make this strategy
difficult, experts said. "Retailers could offer a secured PC with the
updates installed, but consumers could always go and find a PC with a
lower price where you have to upgrade it yourself," said Beighton. "In
a commodity market, the consumer will always look for a bargain."

Rather than try to keep OEMs around the world up to date with security
patches, Microsoft's move with SP2 will be to turn on security
features such as Windows XP's built-in firewall, which will protect
users from attacks such as RPC exploits. This could have problems of
its own, with some industry observers predicting it will lead to a
huge upsurge in technical support calls; the firewall will block
access to services that were previously available, such as game
servers, unless it is reconfigured.

The move should make a difference -- at least to buyers of new PCs.  
"Anybody who's bought an up-to-date machine in a year's time will be
in a considerably better position than they are now," Beighton said.  
However, the real problem isn't new PCs, Beighton noted, it's the
millions of older machines still in use without protections or updates
of any kind.

Even if these users are diligent, they will find it difficult to
upgrade if they have a dial-up connection; Microsoft's service packs
make the updates easier to download and install, but they only appear
three to six months after a threat has materialized, Beighton said.

An alternative is Microsoft's new patch CD program, allowing users to
order a CD containing security updates for machines running Windows 98
and newer software. The CD is a one-off offering, and only contains
patches up to October 2003, a Microsoft spokeswoman said.

Most users may not be that diligent, however. Symantec found that many
worms continue to spread even after their built-in expiration date has
passed because the PC's clock has not been set properly. "That's how
ill-administered they are," Beighton said.

Blaster and its ilk represent a major new trend that has emerged in
hacking in the past three years or so, say security experts.  
Previously, attacks were carried out by individuals, but now the
process has been almost entirely automated, with hackers sharing code
that takes advantage of well-known exploits.

Seventy percent of vulnerabilities in 2003 required no new exploit
code, up from 60% in 2002, according to a Symantec threat report
published last month. Symantec found that blended attacks like
Blaster, which combine the characteristics of viruses, worms, Trojan
horses and malicious code with vulnerabilities to spread an attack,
are increasingly exploiting back-doors left by previous worms.

This year, for example, the Doomjuice and Deadhat blended attacks both
made use of the back-door left by MyDoom in January, Symantec said.