Estimating the Time-To-Own of an Unpatched Windows PC

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

How is this measured

[Lord Lode (1290856)]

I've heard similar statistics in the past already. How is this statistic measured? Is it the time after you connected your ethernet cable or modem and doing nothing at all but wait, or is it the time after you opened a browser and let an "average" user surf the internet and open things? Is it a problem if you need 4 minutes to install all windows patches and updates?

Re:How is this measured

[Spad (470073)]

I know that last time I put a new install of XP SP2 straight onto the internet without firewall or antivirus (A tiny oversight - plugged in the wrong cable) it was owned in under 5 minutes without any interaction on my part.

Re:How is this measured

[JimboFBX (1097277)]

The fact your firewall was disabled shows you already did some interaction.

Re:How is this measured

[Alpha Whisky (1264174)]

I'd mod you funny if I had modpoints. I think he probably meant no router/firewall, Microsoft's toy firewall enabled by default in SP2 is about as effective protection as a wet paper bag would be against a rocket propelled grenade. Or for the Slashdot crowd who only understand car analogies, as good a protection as a Ford Pinto crashed into by an express train.

Funny thing is that Zone Alarm has had vulns

[George_Ou (849225)]

Funny thing is that Zone Alarm has had some serious remote exploit vulnerabilities where if you hadn't installed a 3rd party FW in to your Windows XP computer, you'd be safe. Here's an example of one http://secunia.com/advisories/10921/ [secunia.com]. Windows XP, Vista, Server 2003 and 2008 Firewall has been rock solid and secure. You're simply talking out of your ass and you're giving the typical knee jerk reaction against Microsoft products. You do not have a single example of where Windows XP SP2 firewall is vulnerable to a remote exploit and there isn't a single example of hackers getting through it if all ports are closed.

Re:Funny thing is that Zone Alarm has had vulns

[KGIII (973947)]

To add to this I have helped write both the Outpost Personal Firewall and Kaspersky's Anti-Virus application. As the NDA is up I can admit to the latter. Simply put, you're full of shit. (Not the parent but the grandparent. George is right on.) The reality is that if one doesn't try to pretend they are smarter than the system than the Windows firewall works really well at INBOUND protection. Let me state this another way... If you have a clean system AND don't go screwing with the system's settings the Windows firewall will do just fine at getting you online safely. If your OS installation media predates this than you should really look at slipstreaming or a newer OS. Windows firewall sucks at outbound protection, a lot... As for inbound? It is fine and I will happily toss an image and an IP address up to those who disagree [no carrier] (Just kidding of course, it really DOES do the job of inbound protection. Safe hex and JUST the Windows firewall behind a NAT enabled router has served me well for a long time though outside of that I simply use Outpost.)

Re:Funny thing is that Zone Alarm has had vulns

[rabbit994 (686936)]

Article isn't clear but they didn't say what version of Windows they put on Internet. If you install slipstreamed XP SP2 or greater, the firewall would be on by default and I imagine time to owned would be much higher then 4 minutes. If you put XP no SP on internet, yea, owned in 4 minutes. Server 2003 SP2 R2 locks down all incoming connections till you say go ahead and open them up after install to let you have time to patch.

As for shipping with patches, they do. All the new Dells at work have been coming with XP SP3 on reinstall CD and there is directions on how to create your own slipstream install CDs. Try googling "XP Slipstream" . Ditto for Windows 2003 Server.

Lastly, they do continue to fix it. Windows Update still has patches for XP as needed. The rate of required patches has slowed down but that's a good thing. They haven't had OMG WE MUST PATCH NOW patch in a while.

 

Re:Funny thing is that Zone Alarm has had vulns

[ColaMan (37550)]

How hard would it be for Microsoft to add a patch CD to the box, or when patches are released to ship patch CDs..... to people that ask nicely for them?

It seems that it's not that hard, seeing that they already do.

Your homework for today is to find the link at Microsoft's site that lets you get a copy of the SP3 security update CD mailed to you, and post it below. Extra points if you can write a script that goes through your local phone book and orders a CD for each person.

Re:Funny thing is that Zone Alarm has had vulns

[buswolley (591500)]

I'm not quite a newb or anything. But, how do you know if you've been owned? Standard anti-virus checks? Something more difficult to detect?

Re:How is this measured

[Mistlefoot (636417)]

Absolutely. SP2 firewall is enabled by default.

And from the article "This older guide was written based on Windows XP pre SP2. One of its main feature
was step by step instructions on how to enable the Windows XP firewall."

XP SP2 was released in August of 2004. Why are we talking about 4 year old software? Heck, Firefox 1.0 hadn't even been released yet. And Ubuntu's first release was in October 2004.

Why is an OS older than Ubuntu or Firefox being tested? And I mean 4 years older then Ubuntu - even with SP2 it would still be older then Ubuntu or Firefox.

Re:How is this measured

[erlando (88533)]

Why is an OS older than Ubuntu or Firefox being tested? And I mean 4 years older then Ubuntu - even with SP2 it would still be older then Ubuntu or Firefox.

It could be that there is a lot of pre-SP2 install-disks out there. In the likely event of needing a reinstall you are faced with having to put a pre-SP2 XP on the net to retrieve SP2.

Re:How is this measured

[PopeRatzo (965947)]

but who has access to two computers at home?

Everybody who would be reading this article?

Re:How is this measured

[CastrTroy (595695)]

Because the last OS put out previous to Vista was Windows XP. That's why we are talking about such old software. It's only 1 version behind current. The biggest problem, is that there's a lot of people who have XP discs with no service pack incorporated. When you reinstall from these discs, and try to connect to the internet to download SP2, your computer is owned before you can even download the service pack. That's a major problem.

Re:wholesale jewelry

[bloodninja (1291306)]

Slashdot the spammers!

Re:How is this measured

[Gumbercules!! (1158841)]

I recall working at a university, in which every PC had a public IP address. I clearly remember a Windows 2000 server being pwned during installation. As in before the install process even finished.

That was the last time I installed with the CAT/5 still plugged in (and yes, it was my first job)....

Re:How is this measured

[Gumbercules!! (1158841)]

I know it was pwned because during the installation I got an angry phone call from the Cisco Comms boys, who wanted to know why one of our servers was suddenly flooding the network with traffic matching the signature of the Code Red worm.

Once the installation finished (now with the cable unplugged), sure enough, the box was infected with Code Red. No doubt because IIS installs by default (set to on) and my leaving the cable in allowed it to get infected.

I was then embarrassingly the reason for a new policy stating all installations must be done with the network cable unplugged.

Re:... and if you leave your car key in the igniti

[Opportunist (166417)]

I actually forgot my car keys in my car overnight once and nothing happened. Well, this isn't LA downtown. I live in one of the cities with the least crime overall.

The problem is, with the internet space means nothing. You essentially automatically live in all the worst cities at once, they're all right in front of your doorstep.

That's what most people forget when they deal with the internet, especially if they live in a sheltered community where it's safe to walk the streets at night. They're not used to pondering being mugged any second. But that's exactly what happens on the internet, you live in the worst kind of neighborhood, anyone out there who wants to do something bad to you is camping right in front of your door.

Don't feel special, though. They camp in front of every else's door at the same time.

Re:How is this measured

[Stellian (673475)]

Oh please. This is why I love Slashdot. I'm as big of a MS hater as the next guy, but those who ignore MS's progress from the Blaster days are just spewing FUD. A default Windows SP2 installation, with non-executable buffers (DEP) left enabled for Core windows services, running on supporting hardware will not get owned by just sitting on an infected network. I challenge any Slashdoter who thinks otherwise to prove it. Of course, when people start browsing porn sites with the default browser things get tricky, but that's no longer a remote, automated attack.
TFA counts *ALL* forms of attack. Even scans for obscure webserver or game vulnerabilities, Blaster type scans and ssh brute force attempts. I fail to see how these "attacks" can have any impact on a computer running a fresh install of a recent version of Windows like XP SP2, SP3 or Vista.
You can argue about security track-record all you like, and talk about why Windows is not secure by design, and how it should not be used for life support systems and ATMs [networkworld.com], and I would agree. But this is getting ridiculous.

Re:How is this measured

[ozmanjusri (601766)]

those who ignore MS's progress from the Blaster days are just spewing FUD.

Exactly.

Everybody's long since upgraded to the Storm worm.

Re:How is this measured

[Opportunist (166417)]

I did exactly the same kind of "research" (for a documentation about online threats for our local TV network), here is what I did.

I installed XP SP1 (bear with me, it was the pre-Vista days), the way you got it delivered on a CD. I did nothing else (XP SP1 came without the firewall preinstalled). I turned on a network monitor to document and show what happens. Then I patched in an Ethernet cable to the local network which had unfiltered access to the internet (pretty much what the average cable user, or the average DSL user has after dialup).

Time to infection through the RPC hole was less than 2 minutes.

I did essentially NOTHING to faciliate it (besides, well, not having the machine patched at least to SP2), I just let the machine sit there, connected to the internet.

In a nutshell, if you're using XP and have one of those SP1 install discs, download SP3 before you kick the system in the gutter, put the service pack on a USB stick or external drive and install it before you connect that machine anywhere.

Offline updates

[Fallen Andy (795676)]

For XP/Office/Vista, you owe it to yourself to use the Heise [heise.de] offline updates.

Back in '04 the time to live was (claimed to be) around 20 minutes. I wonder what the time is for an unpatched Vista (the figures in the article are for XP). Heh - I bet '98SE survives forever (nobody would want to exploit that).

Andy

Typical /. Hypocrisy!

[by Anonymous Coward]

I keep hearing on /. about how slow Windows is. Now it turns out that Windows is very fast.

Re:Typical /. Hypocrisy!

[pbhj (607776)]

Now it turns out that Windows is very fast.

Kinda like a high priced callgirl...and just as expensive to purchase.

But you only get to use windows for a couple of hours before you get a virus ... oh, wait ...

That's why you slipstream

[Toreo asesino (951231)]

You can bundle all the patches & service-packs you want into a slipstream image and install everything at the same time.

Otherwise, there's WSUS (http://en.wikipedia.org/wiki/Windows_Server_Update_Services).

(Not that I disagree XP was horribly insecure when it came out)

Improved odds in XP/2003 SP2 and Vista/2008

[FuegoFuerte (247200)]

At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.

When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.

In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").

Based on a.. diary post?

[ulash (1266140)]

The source for this post seems to be lacking on quite a few fronts when explaining how they arrived at this data.

- (As pointed out already by numerous posters) Which version of Windows are they using?
- What activity are they using the computer for?
- Who are the "all" in "placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas" ?
- How unpatched is unpatched? Is this a version of the OS that one needs to deliberately search for or if I go and buy a boxed version of the OS there is a pretty good chance it will be just as "unpatched" ?

The "piece" raises more questions than the answers it provides.

And these techs tell you...

[www.sorehands.com (142825)]

These tech people from Comcast or SBC tell you to plug your machine directly. Maybe they work for the people who run botnets?

A spit on them. They seem to be as incompetent as the 'Geek Squad'

7 months and counting

[petes_PoV (912422)]

At the end of last year (just before christmas) I reconfigured an old laptop with W2k/SP4 for use receiving weather satellite pix and acting as a weather station. Since it only has a 150MHz processor and 96MB memory I decided not to include any anti-virus or spam filtering on the box itself. It does sit behind my Netgear DG834GT, which only lets through selected ports - mainly for the benefit of the other machines I run.

While the laptop itself has very little internet presence (just downloading patches, drivers and s/w updates) I've occasionally remote-mounted it's disk to another box that runs Norton. I've never detected any spam, viruses, trojans or other nasties.

My conclusion is that with some basic precautions and common-sense (plus no email and only visiting "well known" websites) it's quite feasible to run a windows box for dedicated applications 24*7 without the overheads of virus protection.

ha!

[thatskinnyguy (1129515)]

4 minutes eh? I've seen XP installs (Pre-SP1) get owned during the install process!

You can't lay all this at Microsoft

[tjstork (137384)]

If the internet is so f--- up that plugging a new computer onto it brings it under immediate attack, then, well, the good guys have -lost-.

It's really time to start unplugging bad guys from the internet period, applying stricter filtering at the ISP level, and more rigidly filtering countries who don't police their networks.

Five minutes to be attacked? The internet is LOST.

Ever tried that with Red Hat 7.3

[Britz (170620)]

There are still hosting companies that offer virtual machines and even complete servers with Red Hat 7.3
So I would be interested in the time it takes for that one to be infected.

Do they even give patches for that any more?

I am not trying to say Linux or Windows is safer. I am just trying to say it might not be wise to put an unpatched machine on the net without a firewall to download patches. Regardless of the os.

Re:Doesn't make sense

[thona (556334)]

That makes a lot of sense - because that is exactly what happens. Tons of bots around trying to get into "known and patched for years" exploits. They jsut scan IP Address ranges for computer to come online. So, really - no browsing required. No user action required. They happily come to you. This is why a simple firewall like the one you have now on Windows (allow only outgoing connections by default) or simple NAT ALREADY raises quite a bar in security - there ARE, HAVE BEEN and WILL BE exploits that do not require any user interaction.

Re:Doesn't make sense

[kitgerrits (1034262)]

No, this type of infection is sent to random computers all over the Internet.
If one computer on the same IP range as you if infected, it will try to infect all computers on the same IP range and continue to try until someone either turns off the PC or formats the harddrive.

Try installing a firewall, connecting a computer directly to the Internet (don't -do- anything, just connect it) and then Wireshark to look at your Network Interface.
You'll be surprised at the stuff you get without asking.

Re:Doesn't make sense

[sowth (748135)]

I'm going to jump in, because I don't think anyone explained this.

Windows runs lots of services (server programs) by default, some of which have vulnerabilities. Some of which can't be turned off, because of the way MS programmed them. If you wonder why they are there, this is how things like filesharing works: it has a server program which will reply when someone else on the lan broadcasts asking for other shares. If someone creates specially formed packets, they can break into those vulnerable services, and you are rooted.

There could also be vulnerablilities in the kernel (main system), but they are rare. You could also be infected if you opened up a shared folder, and someone / a program uploads a hostile program to it, and you run that program.

This is in addition to getting infected by visiting a hostile site with an insecure browser.

I may not have explained this very well, but hopefully you get the idea.

Re:Um, what version?

[by Anonymous Coward]

Would be interesting to compare with Vista.

They tried. They ran into some obscure bug with Vista that prevents it from accessing the internet while the machine is powered on.

Re:Um, what version?

[IntlHarvester (11985)]

XP SP2 comes with a firewall on by default. Vista comes with a firewall on by default.

This is only seems interesting if you're installing from your vintage 2001 XP disk.

Re:Um, what version?

[Computershack (1143409)]

Which is exactly my point. We know those machines get pwned quickly, so why is this news?

Because it's about Windows and in the current trend, you don't have to bother on /. with little annoyances like facts and the truth if it's to do with Microsoft - any old shite will do if it is trying to make Microsoft look bad.

Yet you'll notice that the /. crowd isn't bleating on about the 33 year old Unix bug that's only just been fixed this week.

Re:

[jd (1658)]

The fact that another Slashdot reader queried my insistence Windows 7 should have better host and network security is proof that there is still rampant ignorance on the subject. The fact that the time-to-pwn has not fallen over the past four years despite "security fixes" and security engines that inconvenience users and break applications is proof that the security methods employed by Microsoft are a failure. The fact that there is virtually nothing mainstream in the Windows world that compares with even t

Re:Honeynet

[neokushan (932374)]

How can you say this shows no improvement over the last 4 years when the test subject was an UNPATCHED version of Windows?
The article wasn't even particularly clear if it was good ol' Vanilla XP or XP SP2 or whatever.

Re:Honeynet

[neokushan (932374)]

Exactly. Saying an unpatched OS is vulnerable to attack is like saying an unlocked Car is liable to be stolen.
I'm not even sure what it is they're trying to prove - that Microsoft can't bend time and space and retroactively patch ALL XP disks every time they release an update?

This actually got me thinking, even Linux has it's vulnerabilities from time to time, but I could argue it's MORE vulnerable because of all those Ubuntu Live CD's people have lying around. I've known a few people that have resorted to one of these Live CD's in times of dire need (i.e. when windows has decided to break) and one guy even used one for a few months because his HDD died on him - but how do you patch THOSE?
Luckily, Linux is pretty good at not getting owned so it's a bit of a non-issue at the moment, but I dare say it's only a matter of time before someone starts targeting them as well.

Re:Honeynet

[willyhill (965620)]

One question though - why exactly would I face out a machine with an unpatched OS (the "article" doesn't even mention the version), any OS?

Especially since a $20 Linksys router solves my problems, assuming I'm unable to splipstream service packs or errata or whatever?

If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install? Do I not have to go online to download the errata for that one as well? Or even the new version?

Even with the larger number of exploits for Windows vs Linux, that doesn't mean there are no exploits for Linux. So I have 20 minutes to download my patches, instead of 5? And that's some sort of median, right? Wow, that sure sounds a lot safer. I hope I make it.

This "metric" is like measuring how deep a machete can cut into your leg, or how much chlorine bleach you can chug before doubling over. Useful? Sure. Should you try it? Nope. With *any* operating system. Not even with any of the *BSDs, which I tend to trust a hell of a lot more than most Linux distros nowadays.

Looks like a slow news night for Slashdot, as usual.

Re:Honeynet

[ozmanjusri (601766)]

If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install?

Can you still buy Redhat 8?

Re:Honeynet

[bloodninja (1291306)]

If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install?

Can you still buy Redhat 8?

Can you still buy Windows XP?

Re:Baloney

[SurturZ (54334)]

Fools, don't you know that all you have to do is make sure you scan any flopp

Buy Viagra Cheap at http://myipaddres/viaga [myipaddres]

Re:Baloney

[Exitar (809068)]

Haha, no problem for me with my Linux dis

Buy Viagra Cheap at http://myipaddres/viaga [myipaddres]

Re:I have to call BS

[by Anonymous Coward]

I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....

Indeed, your computer is a valued member of our botnet.

Re:I have to call BS

[Raineer (1002750)]

I never patch my windows unless its a service pack and I run just fine... Always have my Antivirus running and Windows defender with a router with built-in firewall... No complaints for the 7 years since I built my pc....

Would you even know if your PC was a Botnet client?

Re:Time-to-0wn with dumb NAT firewall

[totally bogus dude (1040246)]

You should be perfectly safe, as a dumb NAT firewall won't be sending your PC any traffic that it didn't originate. The only possible vectors would be: a) if its connection tracking code gets confused and lets in traffic which it thinks is associated with another connection but really isn't, b) bugs in the NAT firewall device (pretty much the same thing), or c) an attacker gets very lucky with spoofing connections that happen to be in the NAT table (tremendously unlikely).

All up, the chances of anything getting through are pretty much negligible.

The caveat is that stuff on your PC may be making connections without your knowing; and in particular, some programs may use UPnP to open a listening port for incoming traffic. This shouldn't be an issue with an out-of-the-box install.

This is of course assuming the common NAT device setup, where you have your modem/router which gets a public IP address and then NATs all outbound traffic. Inbound traffic will hit the router and not go any further unless the user has explicitly set up forwarding rules on it.

Pretty much everyone with broadband in Australia will be behind such a device, as this is the kind of device most every ISP recommends or sells. Not sure what the norm is elsewhere in the world.

Re:another nonsense MS bashing piece

[Opportunist (166417)]

Considering that the average Linux distro from 5 (or rather, if you want to make a real comparison since they're obviously using XP SP1 to "prove" their point, 7 years) already came with an iptables/ipchains firewally built in and rather few, if any, remotely accessable services running if you don't want them to run (they ask you if you want to have SSH running and yes, should you enable a 7 year old version of SSH then you're vulnerable), I'd think XP would still lose.

The problem is that even if you KNOW that the RPC is a deadly remote exploit vector in XP, you CANNOT turn it off during install. With Linux, at least I have the option to avoid enabling SSH or other services that I know are no longer safe.

Re:How about a VM on NAT in a firewalled host mach

[Creepy Crawler (680178)]

Not true at all. It's a common misconception that NAT protects anything at all. Why so?

NAT uses translation routing based upon multiple inside computers to one outside address. The key here is the NAT device does NOT reconstruct packets if they are heavily fragmented. Even upper end Ciscos and Junipers are vulnerable to fragment based attacks.

The key is you construct a IP-IP tunnel to target victim, try to guess the internal IP addressing scheme, and then use a program called Fragrouter to properly "make mal-fragmented packets". Once you do this, it will hop over damn near every router.

I think there's a setting in IPF that forces reconstruction before passing packets. That's the only defense, along with a proactive filtering in both directions.