1 In 3 Windows PCs Still Vulnerable To Worm Attack 242
CWmike writes "The worm that has infected several million Windows PCs, Downadup or 'Conficker,' is having a field day because nearly a third of all systems remain unpatched 80 days after Microsoft rolled out an emergency fix, security firm Qualys said. Downadup surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003, and Server 2008. Qualys' CTO said, 'These slow [corporate] patch cycles are simply not acceptable. They lead directly to these high infection rates.'" This is indicative of why some are calling for Microsoft to rethink Patch Tuesday, as reader buzzardsbay pointed out.
Not an easy calculation (Score:3, Informative)
How much downtime is caused (money is lost) by patches that break things versus how much money is lost when machines get hacked? This isn't a windows only issue. I've seen Debian security releases break things too. They're a bit easier to rollback, but the problem is fundamentally an ROI or EV problem, not a technical one.
Re:router (Score:4, Informative)
Re:router (Score:5, Informative)
There are 14 routers between me and slashdot.org, not one of them is doing any type of NAT.
Re:router (Score:5, Informative)
Count 3. (Score:2, Informative)
You know of my parents and I, then.
They switched to Ubuntu and I to gNewSense as a result.
Re:Genuine Advantage Validation (Score:3, Informative)
I do this for my 2K system and my parents XP systems. Not because the systems aren't legitimate but because we have dial-up and getting automated updates would take forever. I just d/l the patches at work, plop them on my thumb drive and install.
One caveat. Every so often there is a patch/update which does require you to validate your system. You are notified so you have the option of not getting that update (or have a friend get it for you).
Re:Weekly updates? Still not enough. (Score:5, Informative)
Have you ever tried managing 17,000 desktops? No, didn't think so.
Most large corps run WSUS, with updates on a weekly schedule, at most. To do otherwise would cripple the network, or require such an investment in equipment and manpower as to be nearly impossible to pull off.
Having said that, most large companies also have a mechanism for quick-release of highly critical patches. I know we rolled out the MS08-067 patch to our desktops immediately, and had a 98% acceptance rate within 3 days.
Re:Not an easy calculation (Score:3, Informative)
"I've seen Debian security releases break things too."
Can you provide an example, please?
Re:router (Score:5, Informative)
And it's great for all those annoying programs that try to phone home or check for updates at random times. What's that Acrobat Reader? You want to look for an update? No, I think I'll decide for myself when it's time to update you rather than have you nag me about it every time you're opened. Tick "create rule", hit "block". Enjoy your stay in the blacklist.
ESET Smart Security. Best $50 I've ever spent on software (except maybe The Orange Box).
Re:Genuine Advantage Validation (Score:3, Informative)
They shouldn't be. WGA is pathetically easy to get around, even on pirated copies of Windows.
Don't know for sure about Office, because I've never looked into it, but for Windows XP, it's about a 30 second job to disable it, permanently.
Re:router (Score:5, Informative)
This is why I recommend everyone have a router installed on their internet connection, even if they have only one PC. Routers inherently block almost all worms.
I think, what you're trying to say, is that it is important for everyone to have a firewall on their Internet connection... Not a router. Routers don't inherently offer any protection at all. Many home-grade routers come pre-configured with NAT, which does get you some basic protection... But not all routers do NAT, and not all of them give you any protection.
And an external firewall on your Internet connection only protects you so far. It might keep a worm from crawling in through your Internet connection... But it won't stop a worm from spreading once it is inside your network.
That's why it is important to control the traffic inside your network, as well as traffic to/from the Internet. Maybe it isn't necessary to run a firewall on each and every PC, but you sure as hell better be monitoring your traffic and keeping your machines patched.
Re:router (Score:5, Informative)
A router won't alert you when a program or service tries to access your connection, but a software firewall will.
Turn on logging and your router can notify your PC, your email, your blackberry, etc etc.
Re:Turn off rpc? (Score:3, Informative)
Killing the RPC service effectively kills the computer. Pretty much everything is dependent on it.
It's basically like running in safe mode, but without the "Safe Mode" in the corner of the screen, and with more stuff that doesn't work.
Like the Event Viewer. You can't even see the list of events in the viewer if the RPC service isn't running.
It's ugly. Don't do it.
Re:Turn off rpc? (Score:3, Informative)
Although I do use and support Windows every day, I don't claim to be an expert on the Windows services and the apps that need them....
But yes, I *do* believe you need to leave the RPC service running in most circumstances. The fact it is called "remote" doesn't imply it only relates to remote computers on a network. Rather, it means separate program modules, even running on the SAME machine. Service Pack 2 for XP turns it on by default, and even grays out the option to disable it - which is a strong hint that you're supposed to leave it running.
A list I found on the net of things that require RPC in Windows include:
Background Intelligent Transfer Service (Used by Windows automatic updates)
Cryptographic Services (Used by Windows updates, both automatic and manual)
Distributed Link Tracking Client (Maintains links between NTFS files)
Help and Support System
Logical Disk Manager
MS Software Shadow Copy Service (MS Backup requires this)
Network Connections
Print Spooler
Protected Storage
Shell Hardware Detection (Do you want to play a music CD? You need this)
System Restore Service
Task Scheduler
TrueVector Internet Monitor (Required by ZoneAlarm, and probably other apps)
Volume Shadow Copy (Backup uses this)
Windows Audio
Windows Installer
Windows Management Instrumentation (Many apps depend on this service)
XP SP2 (Score:3, Informative)
Re:Genuine Advantage Validation (Score:4, Informative)
Re:Not Acceptable? (Score:4, Informative)
I've worked at several places that didn't roll out patches right away. It wasn't because the IT department was busily testing the patches. It was because they were afraid of the patches, but had no time to test them.
That's typically the problem around here. We've got plenty to keep us busy on a day-to-day basis... Something is always broken, or requiring replacement, or testing, or whatever.
I hate to just roll out a patch and hope for the best. That's bit me in the ass far too many times. But I find it hard to actually come up with time to read over the patch notes, apply the patch in a test environment, and then watch to see if something happens.
Sure, this particular patch is a few months old... And it was released with enough obvious urgency that we've pushed it through and updated most of our systems... But we're still sitting on some updates that are just as old, but don't seem quite as necessary.
Re:Immune (Score:3, Informative)
If you don't do it preemptively, Windows 98 reboots without rhythm. Although in my experience, if you have all the patches and updates installed, it will bluescreen instead of rebooting. Windows XP is truly a gigantic step forwards, as by default it usually reboots when it bluescreens, too.