The myth of the four-minute Windows survival time

My buddy Dwight Silverman of the Houston Chronicle has a barnburner of a post today whose key message can be boiled down to a simple phrase in all caps: PATCH IT, DAMMIT! (That’s Dwight’s phrase, from an e-mail exchange we had this morning about this very post.)

I agree completely with what I see as Dwight’s overarching message: computer security is serious business and complacency can have dire consequences. Absolutely right. But I cringe at the fear-based presentation from SANS, which is unnecessarily alarmist and seriously outdated.

Let’s start with Dwight’s headline:

Average time to infection: 4 minutes

That’s alarming. And so is the nut graf, which appear just above a chart that drives home the point visually:

Here’s how poisonous the Internet environment is these days: According to the SANS Internet Storm Center, just connecting an unpatched Windows XP system to the Internet can result in a malware infection in an average time of four minutes.

The implication is that you don’t dare connect to the Internet without full body armor. A casual reader would take away this message: if you go down to your local outlet mall, pick up one of those last remaining Windows XP machines, and then plug it directly into a cable modem, you’ll be infected within minutes. That is simply not accurate. And Dwight hints at that when he says, “I actually saw this happen first-hand years ago.” Me too. I remember watching in awe as the Blaster worm jumped across networks to infect Windows machines back in the summer of 2003. But that was years ago and I haven’t seen anything similar happen since those dark days.

Neither Dwight’s post nor the original SANS post that he’s using for support mention the phrase “Service Pack 2” at all. The statistics that were originally gathered, and the chart at SANS, are based on configurations running the original RTM version of Windows XP, or Service Pack 1. (At least, that’s the only interpretation of “unpatched” that I can come up with that makes this data even remotely plausible.) That universe is small and getting smaller all the time. If you bought a new PC in Fall 2004 or later, it came with SP2 integrated and was protected from the start. If you restored your Windows installation from the recovery partition or did a clean install of Windows using the included OEM media, you’re protected as well, because SP2 is integrated into those disk images. The same is true for copies of Windows XP sold at retail in the past three and a half years. (To be fair, Dwight added a reference to this fact in an update after our e-mail exchange. And if you follow the SANS links you eventually get to the Vista-ready, post-SP2 update of their guide to hardening Windows, which explicitly calls out the “significant improvement [of SP2’s default enabling of the firewall] in particular for home users” )

What’s the difference? XP SP2 was a line in the sand against network-based attacks. What Dwight calls the “rudimentary firewall” in Windows XP SP2 is on by default, blocking all unsolicited incoming connections until you allow them. It’s been remarkably effective. I’d like to see someone try this experiment with both XP SP2 and Vista in their default configurations. I strongly suspect that either system would be able to remain up and running indefinitely and would not be compromised without the participation of the user. If that weren’t true, then the Blaster worm would have had a successor and we’d be talking about it here. In short, that alarming headline and the “ticking time bomb” message simply does not apply to you if you have a reasonably modern Windows PC built in September 2004 or later. Yes, you should finish applying the latest updates to the OS and all potentially vulnerable applications (Acrobat, Flash, QuickTime, iTunes, etc.) before you begin using a network-facing PC for the first time, but you’re not at risk of having your system compromised if you decide to go to lunch before getting to that phase of setup.

If you’re using an older machine, originally shipped with a pre-SP2 build of Windows XP, you presumably installed SP2 years ago. If you need to reinstall Windows using that old, vulnerable version, just enable the original Windows firewall before you plug into the Internet. Or, better yet, download XP SP2, burn it to a CD, and apply it to your Windows machine before you plug in that Ethernet cable.

Back in 2003 and 2004, it was indeed appropriate to make sure people knew about this statistic. Today, not so much. Default settings for Windows these days certainly eliminate the possibility that you’ll get fragged just for plugging in a network cable. Yes, installing updates regularly is an essential part of a defense-in-depth strategy. Anybody who thinks they can ignore updates is a fool. But that’s only one part of a much larger awareness of security issues (which apply, by the way, even if you’re using a platform other than Windows). You should be running as a standard user, and your network should be behind a hardware router, and all connected PCs should have up-to-date antimalware protection in place, and you should avoid the kinds of behaviors that might take you to unsafe websites, and you should be vigilant of phishing attempts… In short, security awareness isn’t something you just think about once or twice a month, when patches arrive, but is a part of the overall way you approach computing.

10 thoughts on “The myth of the four-minute Windows survival time

  1. I’m actually starting to give up on AV thanks to built-in Windows protections and patches. Not 100% completely AV-free – it’s installed, just not actively running or scanning. It just sits there so that when I feel the least bit cautious about a file I just downloaded I can scan it. At work, I took AV off completely.

    Staying secure is really a matter of common sense anymore. The problem is there are still far too many security-unaware users out there.

  2. Yep, I gave up using active AV too, since i’m using Vista. And when in doubt over something i downloaded from the net, i upload it to, where it is checked by some twentysomething different AV scanners.

    That gives you more peace of mind than a single scanner, although the number of false positives I often get (some scanners seem to flag nearly every file as “suspicious”, as long as it’s executable in some way) sheds a harsh light on marketing practices in AV land: when in doubt, flag it; that way, your user will assume you’re hard at work to protect him…

  3. I ran XP SP1 for years without a router on a cable modem. Never compromised. I did have the firewall on.

    Honeynet has a decidedly pro-Linux bias and their Windows “tests” seem ancient (and poorly documented) if you go to their site.

  4. Yes – I suppose, unfortunately, the group of people without routers overlaps heavily with the group still running pre-SP2.

  5. I would agree that SP2 fixed most remote issues. I wouldn’t trust even an SP2 to be permanently connected to the internet without a router to protect it, but I’m just paranoid like that. I do use an SP2 machine at random wireless access points.

    I was just talking with someone about this yesterday, and I was wondering if the much lowered rates of infection have more to do with that routers now cost less than $20, and so everyone has one, and so even the folks running win95 or XP SP1 (or 0) are much better off than they used to be.

  6. I don’t run any security software whatsoever apart from what comes ‘in the box’ with Vista (my workstation) and XP SP2 (my laptop). No antivirus, no additional malware protection, and the software firewalls are left in their as-supplied defaults.

    The workstation has been running and connected to the Internet continuously for 4 1/2 years (2 1/2 running Vista, XP SP2 prior to that). As a precaution, twice a year I run the on-line Kaspersky scan to check my machines, and they are always clean as a whistle.

    I attribute this to my off-the-shelf ADSL router, which offers the usual NAT plus the standard firewall features. As far as I can tell, they shield you from the vast majority – perhaps all – of the non-user-initiated attacks out there.

    I also practice the most basic ‘safe surfing’, where I don’t download from pirate software torrent sites, and so forth. It requires just the minimum of common sense.

    So there you go: my machine has been connected to the Internet continuously for 4 1/2 years – first running XP SP2 and then Vista – via a bog-standard router, and hasn’t had one single malware attack whatsoever.

    For me, anti-virus and anti-malware software is a waste of money.

  7. Sorry – minor mistake. 1 1/2 years running Vista, not 2 1/2, of course!

  8. The worst part of this nonsense is not just that they run a completely unpatched ancient OS, but they connect it directly to the internet on a completely unfiltered line (good luck finding one as a private citizen), fail to document it and most definitely fail to replicate the results. A few years ago it was twenty minutes, we tried to replicate this in PC Labs (Benelux) with no effect. Remember that 20 minutes for an infection (and moreso 4) is something we should be able to replicate and measure if true. Our unpatched test machines just sat there unused for days without firewalls on a direct connection and nothing happened. What did we prove by doing that? Actually, absolutely nothing, so that would be about the same as what these people prove.

  9. It’s funny that I ran across this article today, I just had a user mention this, and I told them that I doubt the stats are still the same, now that everyone has a NAT firewall.

    There aren’t too many people these days who are out there without a firewall of some sort, but I didn’t even think that the tests must be done with a XP load without SP2.

    I remember when code red came out, people were getting their IIS servers infected left and right. Reloading them, and wondering how they were infected again. The number of infected servers in Korea were mind boggling. I was surprised the Microsoft waited until 2003 R2 to turn the firewall on until after updates have been applied.

Comments are closed.