[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

It's not that simple.

Why such success with a worm targeted at specific
vulnerabilities in Win2k?

I'll tell you why -- the answer is spelled out (correctly)
in an article written by Ina Fried in a June 28th, 2005,
C|Net News article entitled "Windows 2000 moves to the
back burner", which discussed Microsoft's end-of-life
support for the OS platform.

Here are a couple of key excerpts:

[snip]

Microsoft on Tuesday issued what is expected to be its last significant 
revision of Windows 2000.

The software maker released what it calls an Update Rollup for the 5-year-old 
operating system, which is due to shift at the end of this month from receiving 
mainstream support to extended support. Microsoft does not generally add 
features to a product under extended support, and the Update Rollup is largely 
a collection of previously released patches as opposed to a batch of new 
features.

In addition to already released fixes, the collection "may contain fixes for 
non-public low- and moderate-level security issues that did not warrant 
individual security bulletins," a Microsoft representative said.

[...and:]

Although Windows 2000 has been followed by several other Windows versions, the 
software remains extremely popular in corporations and small businesses. It 
still accounts for nearly half of all Windows-based business desktops, 
according to a recent survey by AssetMetrix.

[snip]

http://news.com.com/Windows+2000+moves+to+the+back+burner/2100-1016_3-5766696.html

So there you have it -- there's still a LOT of Windows 2000 out there...

Having said that, you also have to realize that from the time
the MS05-039 vulnerability was disclose (and the exploit code was
released the same day), to the time that very large enterprises
had to deploy it was very, very short compared to threats of the
past.

That's why organizations like San Diego County, with ~12,00
Win2k hosts, were bitten so badly.

http://www.signonsandiego.com/news/metro/20050817-9999-7m17worm1.html

It's just not that simple...

- ferg


-- Micheal Espinola Jr <michealespinola@xxxxxxxxx> wrote:

Thanks for correcting my spelling error.

You mention that this issue "will have little or no presence on
consumer systems", but you do realize that you are writing for the
"Enterprise News & Reviews" magazine, eWeek - right?  You also realize
that MS05-039 effects the current "consumer" version of Microsoft
Windows (aka Windows XP) - right?

You also say, "If it had been International Paper or some company like
that rather than media outlets I suspect it wouldn't be getting all
this attention".  While this is likely true, this exemplifies the need
to take security matters more seriously.  MS05-039 was issued on
August 9, 2005, and major companies were still exploited 6 days later.
 Your own story emphasizes the lack of consideration that is still
being given to security vulnerabilities, even though Microsoft is
continuously scrutinized at a product level for what is increasingly
related to poor administrative and security practices.

Applying this particular patch takes mere moments to download (a
500-600k file depending on your OS), moments to install, and a
recommended reboot (although only 3% of the systems I personally
patched technically required it).

The entire procedure for patching a single system would require less
than 5 minutes to perform (omitting the time of the reboot). 
Distribution of this patch on scale is also relatively trivial for
someone whose position it is to do it.

Trivializing this (or any) security patch is quite a gamble.  As
Security Center Editor for eWeek, it surprises me that you would take
such a position.  Any vulnerability that would allow for remote code
execution and elevation of privilege should be treated as a top
priority, from both internal and external attack vectors.  An issue
such as this should not be treated as a likelihood; it should be
treated as a possibility.  When you think in this manner, your
priorities change.

I'm not trying to badger you, but in light of the Disney, CNN, ABC,
and The New York Times mishaps (amongst others), I must admit that I'm
glad I don't follow your column or style of advise.



On 8/17/05, Larry Seltzer <larry@xxxxxxxxxxxxxxxx> wrote:
> >>"So patch your systems, but don't miss your kid's play in order to do it.
> We've seen a lot worse than this in the past."
> >>Brilliant advise[sic]!
> 
> Yeah, clearly I timed the column badly, but I still think there's more smoke
> than fire on this outbreak. If it had been International Paper or some
> company like that rather than media outlets I suspect it wouldn't be getting
> all this attention. I also think it's fair to say that when it dies down,
> relatively soon, it won't achieve the endemic status of Blaster and Sasser
> because it will have little or no presence on consumer systems.
> 
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.ziffdavis.com/seltzer
> Contributing Editor, PC Magazine
> larryseltzer@xxxxxxxxxxxxx
> 
> 
>

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg@xxxxxxxxxxx or fergdawg@xxxxxxxxxxxxx
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/