Last week, Microsoft issued a critical update for a serious vulnerability in Windows 2000 and versions of Windows XP before Service Pack 1. Today, a worm that exploited that vulnerability hit some of the United States’ media giants:
A computer worm shut down computer systems running the Windows 2000 operating system across the United States on Tuesday, hitting computers at CNN, ABC and The New York Times.
Around 5 p.m. computers began crashing at CNN facilities in New York and Atlanta. ABC said its problems began in New York about 1:30 p.m.
There is no excuse for these companies being unprepared for this. After CodeRed and Sasser and Blaster and other similar worms, the IT departments at these companies should have been ready to deploy critical updates like this one for any operating system, not just Windows. We’ve known for years that exploits like these can be go from proof-of-concept code to a full-fledged destructive worm almost literally overnight, as this outbreak proves once again. Even if they weren’t prepared to deploy a patch immediately, basic firewall software and a network configuration that blocks ports 139 and 445 from entering the network (all documented in the Workarounds section of this security bulletin) could have prevented the spread of this worm.
If you’re running Windows 2000, better check your security settings. You’re definitely at risk.
Ed Bott 
Ed,
Why in the hell (sorry) there are so many bugs in Windows in the first place ? Patching the computers is the second thing. If Windows had been more secure then there is no need to patch it every month.
Praveen
PS : The applications I use run on Windows only, or else I would have said good-bye to Windows years back.
Wouldn’t a basic hardware firewall protect against stuff like this?
It seems unbelieveable that companies like that wouldn’t have basic protection.
John
A hardware firewall only protects from the outside…all it takes is one laptop user that is infected at home then goes to the office and the entire network can get hit if they aren’t patched.
It is pathetic so many major companies don’t even have a handle on security, nevermind all of the home users and small businesses.
I used to share these same views. Then I became the sole systems administrator for a small (~70 machine) company. It sounds so easy, doesn’t it? It’s just a simple little 2mb patch… what’s so hard about keeping your machines up-to-date?
You say that when you have 1 computer to take care of. What about 10? 20? 50? 100? Then it becomes a significantly different beast. Even deploying Microsoft’s Software Update Server (SUS, now WUS or WSUS.. one of those new acronyms) doesn’t make it foolproof. You still have to take the time to keep up-to-date on security news and then remember to go in and approve newly released and downloaded updates. After that, you have to wait until your next update cycle comes up before client machines will even start to try and download it.
Even if you’re on your toes, sitting and watching for new alerts 24 hours a day, we’re still probably talking at least a 24 hour response time before your update window rolls around again (ours is 3am every morning). Who’s to say even that is fast enough?
The next problem you’ll run into is the randomness of the Windows environment. Oops, for some reason this client decided not to download the patch. Again, unless we’ve got Microsoft’s Systems Management Server (SMS) running, or some other package constantly auditing machines (which no small company is going to have), as well as someone sitting watching this stuff all the time, we’re not even going to know.
Add on pure misconfigurations (which are going to happen, don’t even try to say they aren’t) and other anomalies and it’s bound to happen.
As Chris G. said, hardware firewalls are only going to protect against outside sources. We’ve also got email, laptops, PDAs, USB drives, floppy drives, CD ROM drives, the list goes on and on. In this day and age, with the tools available (and at the prices of some of them), it’s impractical and almost down right impossible to run firewalls on each individual client machine, so once a machine on the network is infected, it will spread like wildfire (a 100mbit – 1gbit full-duplex bandwidth-loving wildfire to be precise).
My point through all of this is that while it sounds so incredibly simple to secure a network against a KNOWN vulnerability, the reality of the situation is far more complex and unpredictable. Sure we would expect large multinational corporations to have the IT staff (and money) to combat all these issues upwards of 98% of the time, but in reality it doesn’t always happen that way.
Besides, for all we know they have. 100% is an unattainable goal, and we have no idea of the scope or impact of these “shutdowns” and “crashes”. This might have been part of their margin of error. It also might have been 3 computers at each facility that just seems like big news when old-school media get ahold of the information from “sources”.
So let’s go easy on these guys and stop the name-calling poo-flinging flame-war before it begins, shall we? They’re just doing their jobs, and for all we know, very very well…
As for Praveen’s comment about Windows bugs: I have never seen any hard proof that there are in fact any more / less bugs in one operating system versus another. Your arguement is a constant stand-by for Open Source advocates, particularly the *nix folk. The reality here is that Windows occupies 95% of the world’s computers. If we actually ratioed everthing out and did our math, we may well find that Linux / Mac OS X / Your Toaster has exactly the same ratio of bugs as Windows in relation to its scale of adoption / publicity.
Like I said about patching above, 100% is an unatainable goal. There will ALWAYS be bugs. Go find some bug trackers on Sourceforge and see how many problems are reported for a simple little open source project. Now invision Windows, 1000s of times more complex. Again, what’s the ratio of bugs to code in comparison to user base and popularity? Is it really that it’s less secure, or is it just more visible, popular, and media-focused? I don’t know, but I have a feeling it’s no less secure or buggy than anything else of its size, complexity and use.
NOTE: As I glance back over at the original entry Ed posted, I see that the bug apparently only affects Pre-SP1 machines. That’s a little more than a 24-hour-earlier patch. Not having SP1 on machines is pretty bad, but some of my other points are still valid (such as scope of the problem and percentage and margin for error).
With that, I’m off to bed. I plan to post this entry to my blog in the morning, since I think I’ve made some good points. If you’re interested in flaming me, please do so there…
And before anyone labels me as a Windows / Microsoft addict, let me clear the air by pointing out that I am posting this comment from my laptop running Fedora Core 4…
That Karl Rove is a genius. Shutting down the opposition media like that.
“As for Praveen’s comment about Windows bugs: I have never seen any hard proof that there are in fact any more / less bugs in one operating system versus another. … If we actually ratioed everthing out and did our math, we may well find that Linux / Mac OS X / Your Toaster has exactly the same ratio of bugs as Windows in relation to its scale of adoption / publicity.”
Wishful thinking by the Windows apologists. Just look at security exploits for the Apache web server vs. Microsoft’s IIS — despite being deployed in greater number, Apache still has fewer holes than IIS does.
The simple truth is that the development of Windows is driven first and foremost by Microsoft’s business goals, and security is an afterthought. If opening a security hole makes it easier to track your web-surfing patterns (making it easier to gather demographic data and sell you more ads), or makes it easier for Microsoft to check what software you have on your PC (gotta watch for piracy!), then it’s TFB for you. Such practices wouldn’t work with Linux, since the open-source nature means these flaws get spotted quickly and squashed. They also don’t work with MacOS X because Apple isn’t led by a bunch of opportunistic dipsticks.
But keep repeating the mantra about “Windows gets more flaws because it’s popular” if it helps you sleep at night. Everyone should have a favorite fairy tale or two to cherish.
I posted this commentary / response on my blog here. It’s duplicated here to further the conversation / flame-war…
It always amazes me how bigoted and hateful Windows-haters can be. If you’ve read my recent post about the comment I left on Ed Bott’s blog, you’ll no doubt find that I was very level-headed and open-minded. I was very reasonable about my approach (I think), and willing to accept any proof to the contrary. Nowhere did I explicitly refuse to accept that Windows may in fact have more native security vulnerabilities, nor did I do the opposite, insisting that it most certainly did not have more native vulnerabilities. My exact quote? “I have never seen any hard proof that there are in fact any more / less bugs in one operating system versus another.” That means that everything is subjective, because there is no empirical data present to support either arguement. How then, did I get this reaction? (Notice in particular the areas I have bolded.)
His point about IIS vs. Apache is somewhat relevent. Of course one could also claim that it’s because Apache is generally more complex to setup and is therefore run by more knowledgeable people than its Windows counterpart. I’m not saying I personally believe that, I’m simply trying to point out counterpoints that may open someone’s eyes and get them to stop blindly hating Windows because it’s Windows and manufactured by Microsoft…
I guess it is true what they say: It’s lonely at the top…
Got a response? Post it in the comments here.
According to Secunia, Apache 2.0 has been affected by 25 vulnerabilites, and 1.3 has been affected by 15. In comparision, IIS 4 has been affected by 6, 5 by 11 and 6 by 2. I’m not sure, but I think IIS may actually have had less vulnerabilites. I don’t think I’m going to bother to check the severity of them, though.