Microsoft Identifies, Patches Another Critical RPC Hole 604
Dynamoo writes "Microsoft have another critical vulnerability in the Windows NT/2000/XP/2003 line of OSes, allowing a remote attacker to run arbitrary code. In other words, this probably carries about the same risk as the well-documented RPC hole exploited by MSBlaster and Nachi. A Knowledgebase article is also available.
Given the experience of the RPC exploit, this probably gives administrators a couple of weeks to patch all the systems in their organisations. Again. Shucks, we haven't even finished patching the RPC flaw yet." You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S.
Update: 09/10 20:41 GMT by T : Reader AcquaCow suggests that administrators with multiple machines to patch visit Microsoft's Software Update Services (whitepaper), a tool for "managing and distributing critical Windows patches."
BOHICA (Score:5, Funny)
Re:BOHICA (Score:4, Funny)
Re:BOHICA (Score:4, Insightful)
Commercial (Score:4, Funny)
Re:BOHICA (Score:4, Informative)
I run Linux at home but work at a Microsoft shop, so I take what I get. I'm no Microsoft zealot, but it looks like things are shaping up a bit in Microsoft's latest generation of products. Or at least it looked that way until I found out about the new, another more different DCOM exploit.
Re:BOHICA (Score:5, Funny)
Re:BOHICA (Score:4, Informative)
Re:+5 Funny for the mods.... (Score:4, Informative)
Re:+5 Funny for the mods.... (Score:4, Interesting)
Not only that, but sometimes I kinda wish you could mod posts as just plain "Wrong" or "Stupid". Though it wouldnt really be very nice...
A critical Windows flaw? (Score:4, Funny)
Again, Server 2003 is one of the affected.
Welcome to the family!
Re:A critical Windows flaw? (Score:5, Funny)
Been there, done that... (Score:5, Insightful)
Re:Been there, done that... (Score:5, Funny)
It's not like MS has had a perfect track record with stable, non-machine crashing updates.
Re:Been there, done that... (Score:3, Funny)
Shouldn't that have been:
Given the experience of former RPC exploit, this probably gives administrators who don't know what they are doing a couple of weeks to ignore this patch for all the systems in their organisations.
Re:Been there, done that... (Score:3, Interesting)
Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volum
Re:Been there, done that... (Score:5, Insightful)
Russian roulette with Microsoft patches. Sorry, I gave up that game 2-3 years ago. I feel safer on my unpatched NT Workstation (with a few tweaks so it doesn't run worms/viruses so good anymore).
Given the "oh so helpful" descriptions of MS Patches ("This patch fixes a security hole which allows remote execution of code") and the sheer volume of them, it's a lot harder than most people think to keep boxes up to date.
If the description said what was fixed, and what files were replaced to fix it, and what those replacement files were, exactly, then you would at least be able to determine if the patch "took" or not. By withholding that information, the patches look like they work, whether or not they actually did anything. It's essentially impossible to unpatch if necessary.
Running it again found the patches I needed for the 3rd one.
If at first you don't succeed, try try again.
Gives a lot of faith in their update process, eh wot? [bad attempt at Brittish humor]
Re:Been there, done that... (Score:4, Funny)
It never gets old
Re:Been there, done that... (Score:4, Insightful)
Windows Update is a mixed blessing where each time it is run the user is gambling that it won't break his system. The safest route with Windows is: install the OS and applications and then leave it alone for maximum stability. Then, put the damn thing behind a non-Windows firewall or leave it disconnected from the Internet entirely.
Re:Been there, done that... (Score:5, Insightful)
Re:Been there, done that... (Score:4, Insightful)
And wasn't security by wishful thinking the impetus for the problem to begin with?
Re:Been there, done that... (Score:5, Interesting)
This happens incredibly infrequently, especially considering the amazingly large amount of systems that run Windows.
I use Windows Update consistently for my Windows box, and it works great and reliably. The FUD surrounding the "user is gambling" anecdotes is amusing though. I can only remember them releasing one patch that was truly borked.
But, if you believe the safest route to Windows is to leave it unpatched behind any firewall I hope you are never in charge of any networks. I'm sure even your non-Windows machines are amazingly insecure and waiting to be exploited.
Re:Been there, done that... (Score:5, Informative)
Re:Been there, done that... (Score:3, Funny)
Must be related to the star trek movies some how, I see a pattern here..
Re:Been there, done that... (Score:4, Informative)
--
hecubas
Re:Been there, done that... (Score:4, Interesting)
The last, and most problematic for me to track down, was not strictly a microsoft fault, but is still relevent.
We run a ~200 machine windows 2000 client network. We also run a couple of virtual CDROM servers. Upgrading to service pack 3 a while back seemed to work fine, when I rolled it out with ghost with a batch of other updates, everything seemed fine. After a few weeks though, I noticed there were a lot of problems being reported with the machines locking up periodically. After much digging and testing, it turns out the client software for the virtual CD's had a bug on SP3.
Yes, it was a bug in a third party application. But still, you can see why smart admins with big networks prefer to test patch rollouts rather than run every workstation with automatic updates enabled. Even if the patch doesn't break windows, it may well break something else that runs on it.
Still, patches need to be rolled out eventually. Laptops will happily infect any system relying on firewalls alone.
I still blame microsoft for writing code that so easily allows net-based root exploits though, that means we have to patch so damn much.
Re:Been there, done that... (Score:3, Insightful)
My guess is that you'll find it Real Hard(tm) to decide what's worse: feeling angry about being fired, feeling angry toward Microsoft, feeling incompetent, feeling bad for ruining the work
Re:Been there, done that... (Score:4, Funny)
Ooh! Daily Double!
Re:Been there, done that... (Score:5, Insightful)
The fact that WU works fine for your single box (as it does for mine) unfortunately says nothing about the regular deployment of patches in a 36'000 seat / 800 server corporate network such as ours, even if stringent QA procedures are in place. Keep in mind that security fixes mean tighter security settings and that those can lead to application problems which can be very hard to find without an inordinate amount of QA.
And by the way, SUS 1.1 might be fine for a small to medium network, but falls miserably short for large installations. We're praying that 2.0 will be better suited to our purposes because handling the pressure from the IRT case manager (who wants to deploy every fix immediately) and production (who doesn't tolerate downtime due to patch distribution) is not fun at all.
Last but not least: having things like DBMS file systems in future OS releases might be cool - but we can live without them. Me, I'd settle for an OS with less bugs and security holes, thank you very much.
Re:Been there, done that... (Score:5, Interesting)
At least Windows Update doesn't have this big fat warning that Office Update displays before you can download any patches. It basically says that the update might deliberately break your Office installation if you've got an illegal copy.
No wonder most people hesitate to install these upgrades.
Re:Been there, done that... (Score:4, Insightful)
That said, I do not think that most people that do install upgrades do so because they have illegal copies. They are simply blissfully ignorant of the possible consequences, seeing viruses, trojan horses, and worms as simply bad luck. When so afflicted, they simply say, "I hate computers," not realizing that it was all avoidable.
Re:Been there, done that... (Score:5, Insightful)
Ooops.
Patch your machines, or, let automatic updates do it for you.
Re:Been there, done that... (Score:3, Informative)
How are they supposed to know they're only supposed to download the "critical" ones? Not everyone who uses windows is a system admin - nor should they be.
Good job you don't work for me. Comments like this made at work would probably get you at least an unofficial verbal warning.
Re:Been there, done that... (Score:5, Informative)
Re:Been there, done that... (Score:5, Insightful)
All very well for your little toy box, but you shouldn't assume that a solution that works for you at home will scale up to a production environment.
Windows update breaks things. Unexpectedly and unpredictably.
Re:Been there, done that... (Score:5, Interesting)
Joy Joy.
Re:Been there, done that... (Score:5, Insightful)
The reality that BillG refuses to acknowledge in his public statements is simply that you cannot "just install the patch" in an enterprise environment. It takes time. Time to evaluate the risks of installing vs. not installing, time to test (and resolve any issues that come up), time to develop a deployment plan, time to actually implement the deployment plan, and time to audit and follow up with everyone who 1) has somehow avoided installing it, 2) is a dial-up user and can't download it easily, 3) had their machine utterly crash after the patch was applied.
Don't blame sysadmins. Blame MS for releasing patches which step on the heels of the deployment of the previous critical update. When a new patch comes out every 2 weeks, and a deployment may take 3 weeks, you've got a problem.
Re:Been there, done that... (Score:5, Insightful)
And the message is getting out. I've seen a few columns where the writer states "While Linux and Mac users had a calm week, Microsoft users were brought to their knees by ...[insert latest worm/patch/bug/fix/virus] ... and spent the last week fixing their systems, again."
Makes me wonder how they have any time to do anything else (it also explains why most of the /. crowd uses linux - we just happen to have the extra time b/c we're not patching, not fixing other boxes, etc.)
Re:Been there, done that... (Score:5, Informative)
Windows Update can really break stuff. Example: Compaq Evo n600 laptops with our Windows 2000 build. That ATI driver that shows up in Windows Update causes a BSOD on restart. You have to revert to the previous version of the driver.
Running Windows Update and going click-happy can cause more harm than good sometimes.
Re:Been there, done that... (Score:5, Insightful)
Re:Been there, done that... (Score:3, Interesting)
One of my clients are in this exact situation - they are on dialup simply because their business is in the sticks and there is no broadband avaliable. They got hacked into a few weeks ago because of these bugs and holes - the solution instead of serious money (compared to dialup), is to simply install Linux everyw
jebus h flippin' christ (Score:5, Insightful)
Re:jebus h flippin' christ (Score:4, Informative)
Outlook and Exchange use TCP/135 to communicate. Not everyone uses a VPN to read their Exchange-served email when remote you know.
Re:jebus h flippin' christ (Score:3, Insightful)
Why?!?
Re:jebus h flippin' christ (Score:5, Insightful)
communicate and do the things you can do over IMAP
of course !
What, you thought Microsoft *wanted* to let Outlook
do it's "special things" over a published protocol ?
How would they force you to install Exchange then ?
Jeremy.
Re:jebus h flippin' christ (Score:3, Funny)
Because Microsoft wouldn't know an RFC if it fell on Bill Gates' head.
Re:jebus h flippin' christ (Score:4, Insightful)
What about RPC holes like ports 80 and 443? (Thanks, SOAP!)
Todays /. Summary (Score:5, Funny)
Today's
Microsoft is poo. Of course you already knew that.
SCO are lying, thieving gypsies. You already knew that too.
Spammers are poo AND lying, thieving gypsies. Duh.
Cubism is leet, imagine a beowulf of those!
Java Web Services in a Nutshell is cool. Real geeks measure their O'Reilly books by the foot, not the title.
RIAA uses P2P stats but cornholes 12 year old girls.
Adrian Lamo surrended. Free Kev^H^H^HAdrian!
Film scanners are cool.. but who, other than professionals, use film?
SAGE confirms it, you make less than you should.
Gnome 2.4 is leet. It even works on *BSD (which is dying)
Ode to my router (Score:5, Funny)
I am sorry Cisco, for Microsoft has found a new RPC flaw - tonight your e0 shall be stretched wide like goatse.
Fine journalism (Score:3, Insightful)
Shucks, you only had a whole fucking month to do it before the exploit made it to the wild.
You might want to keep your laptop's batteries charged; this NewsForge article suggests that the Blaster worm may have played a role in the August 14th blackout affecting the eastern U.S
The always insightful Slashdot editorial byline. RTFA - the article (On NewsForge, no less, and framed with three Microsoft ads) says the worm crashed a Unix server. Score one for reliability of "real" operating systems - and unbiased reporting.
Re:Fine journalism (Score:5, Informative)
For those out of work (Score:5, Funny)
I manage several XP machines (Score:4, Insightful)
MS Software Update Services (SUS) (Score:3, Informative)
Software Update Services:
http://www.microsoft.com/windows2000/w
SUS Deployment:
http://www.microsoft.com/windows2000
Re:MS Software Update Services (SUS) (Score:3, Informative)
Try to research what you write before you go about spreading FUD about Microsoft's practices.
Re:MS Software Update Services (SUS) (Score:5, Interesting)
I noticed this too. After the update downloads, the application tripped my firewall on port 80. Nowhere in the update does it specify that this will be needed.
This bothers me for several reasons; 1) I administer many machines that are off site. They have been set up as tight as can be which keeps me from having to drive to the furthest ones which are over 200 miles away. Now I have to allow a program downloaded from a NON-SECURED web site to run freely while accesing the internet? How did this strike anyone as a good idea? 2) Well, there is no 2 just yet as I havent had time for all the negative consequences to hit yet.
Im sure with a little tinkering, this can be resolved, hell Ill just put that IP into my routing table and hit it to a local box or something...
Re:MS Software Update Services (SUS) (Score:3, Informative)
Download the full
http://www.microsoft.com/technet/treeview/?u r l=/te chnet/security/bulletin/MS03-039.asp
Save them to a local harddrive in C:\patches\KB824146 along with the 3 files below.
Create two batch files, and a file called log.txt
I use the following batch files to patch 500+ workstations and it works for ALL patches I've ever needed to push including W2k SP4, NT4 SP6a, Internet explorer upgrades, Office patches, etc.
There are some requ
Re:MS Software Update Services (SUS) (Score:3, Informative)
But before, the fixes downloaded from Windows Update were actually the same files (only with a signature) as those available on the downloads site, but there were many more fixes on Windows Update.
This fix seems to change that pattern.
Well, in fact about every 10th fix changes a pattern. The naming convention, the commandline f
Re:MS Software Update Services (SUS) (Score:3, Interesting)
Our servers run NT4 and we don't run IIS. The Intranet runs on Apache (Linux).
Fortunately we have our patch deployment tool that is just 20 lines of KIX script running as part of the LOGON script. Works every time, but unfortunately Microsoft does everything it can to attempt to break it. (see other replies in this subthread)
Bring it on... (Score:5, Funny)
You question, "how can MS spin this positively?" They can call it "remote code execution" - sell it as a feature: "With this feature, anyone, anywhere in the world can run programs on your machine! Use it to get back at your enemies and to play pranks on your friends! Great fun for all!"
Re:Bring it on... (Score:5, Interesting)
With this feature, anyone, anywhere in the world can run programs on your machine!
You're kidding, but that's actually pretty close to what they say:
"A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it."
"A security issue has been identified in Microsoft Windows that could allow an attacker to see information in your computer's memory over a network."
"An identified security issue in Microsoft Data Access Components could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could execute code on the system."
This is after about a week of Windows Update not working because at some point it screwed itself-- the "New Windows Update Software required" dialog kept coming up in place of anything useful. (The fix is, among other places, here [freelists.org]). Yikes!
Re:Bring it on... (Score:5, Funny)
"I don't know what a monopoly is until somebody tells me." - Steve Ballmer
"I think it would be absolutely reckless and irresponsible for anyone to try and break up this company [Microsoft]." - Steve Ballmer
"We [Microsoft] don't have a monopoly. We have market share. There's a difference." - Steve Ballmer
"Accessible design is good design." - Steve Ballmer, Microsoft, CEO, June 13, 2001
"I have four words for you: I LOVE THIS COMPANY, YEAH!" - Steve Ballmer ballmer_dance.mpg [stenstad.net]
You can't make this stuff up.
Re:Bring it on... (Score:3, Funny)
Technical support this is segment (Score:5, Funny)
segment: sure what seems to be the problem sir?
(l)User: well I was in teensex0rchat on aol and someone named xXxh4x0rj3et0xXx told me to open the start button click run and type rmdir
segment: *whispers you dumb arse*
Re:Technical support this is segment (Score:4, Funny)
That reminds me when I used to play FPS games on public servers... there'd always be someone who would say, "so-and-so is using the Control-Q cheat!" or "so-and-so cheated with the F10 hack" etc.
Of course, on Unreal/Americas Army/etc, F10 was the "disconnect from server" button (IIRC), and of course Control-Q quit the game. It was quite amusing to see the number of people who immediately disconnected, because they couldn't help but see if they too could use that cheat.
Re:Technical support this is segment (Score:3, Funny)
** RocketDude disconnected
** Ov3rl0rd disconnected
** PowerNewb disconnected
Port blocking on Internet/Intranets (Score:5, Insightful)
It seems like many of the recent vulnerabilities have one common feature--they all use a static port.
The buggy Netgear routers that were DDoS-ing U-Wisconsin all sent the packets from one port, and the temporary solution of blocking that traffic was an easy fix (if not optimal in bandwidth terms). RPC by its very nature also uses a fixed series of ports, and Microsoft's continued ineptitude in properly programming the protocol suggests that it's time to start blocking those ports on Internet-facing computers and (for some universities or corporations where it wouldn't kill important processes) inside the firewall.
Blocking ports is probably even faster than patching thousands of computers (or convincing end users to do it! eek!); there's not much of an excuse remaining for many administrators in this regard.
Re:Port blocking on Internet/Intranets (Score:3, Interesting)
Hate to rail on it, but even if I don't patch my Win2K box at home (used for gaming), I don't need to worry about it because my OpenBSD [openbsd.org] firewall protects me from this crap.
Or isn't this solution obvious enough?
Re:Port blocking on Internet/Intranets (Score:5, Insightful)
Then they bring the machine to work, plug into the network, and infect everybody. Obviously, there are ten different things you can do to reduce or eliminate this threat, but that's the pain in the ass.
This is not even a mild annoyance for me on my home computer. I didn't hear many folks on
Countdown to Blaster 2 begins today! (Score:3, Funny)
Re:Countdown to Blaster 2 begins today! (Score:3, Funny)
Hey! I have nothing to do with it! Shup!
We need PUBLICITY, or no one will know or care. (Score:5, Insightful)
We need bugs like this to be publicized in major newspapers, the way "human" virus outbreaks (and potential outbreaks) like SARS or Ebola are. That way, people might actually start patching their systems...
Re:We need PUBLICITY, or no one will know or care. (Score:3, Insightful)
Imagine if it was discovered that everyone who had a standard deadbolt on his front door was suddenly vulnerable to being burglarized by anyone with a paper clip. Would the story be noticed only after tens of thousands had been burglarized?
Wouldn't it be easier? (Score:4, Insightful)
Re:Wouldn't it be easier? (Score:3, Informative)
Re:Wouldn't it be easier? (Score:4, Informative)
Re:Wouldn't it be easier? (Score:4, Informative)
Someone else compared it to 127.0.0.1 on a *nix box, but there's already a loopback interface in Windows. The RPC service was originally intended for remote administration. A better analogy would be SSH, but I don't have to run SSH under *nix, do I?
Fantastic news! (Score:3, Funny)
Standard Practice... (Score:4, Interesting)
I mean, really, what's the point? Even if you're secure now , give Microsoft another few weeks, and they'll find another few critical weaknesses. Why can't people just accept that if you run MS operating systems, you are going to get hacked? Why bother patching when your system is still vulnerable to the multitude of holes Microsoft (or some other hacker...) has yet to discover?
Sorry to rant, but this is just plain unexcusable. 8 years after Windows95, and Microsoft still hasn't managed to create a secure operating system. Their "Trustworthy Computing" initiative only means that you have to trust them to release a patch when holes are found...
Microsoft-specific Extensions (Score:5, Interesting)
Re:Microsoft-specific Extensions (Score:3, Funny)
" I love the way Microsoft follows standards. In much the same manner that fish follow migrating caribou." - Paul Tomblin
Soko
MS Update Privacy Issues (Score:4, Interesting)
Just remember that during the "Scan for updates" procedure, the little tagline about "Windows Update does not collect any form of personally identifiable information from your computer" is a lie. A great deal of information is actually sent back, and is generally more than enough to uniquely identify your computer. Plus, Microsoft has no business knowing exactly what hardware I have installed on my computer.
You can go here [tecchannel.com] for a more comprehensive article on this subject.
Finally, a chance for a good worm? (Score:5, Funny)
This is really wonderful! Now someone can write a worm that cleans up after Nachi [slashdot.org]. Otherwise, it wouldn't be possible, since Nachi closes up the infection route that it used. Thanks, Microsoft!
Patch unreliable? (Score:3, Interesting)
Re:Patch unreliable? (Score:5, Informative)
Oh the irony (Score:5, Funny)
Forget your firewall.. (Score:5, Insightful)
The real threat in these situations is someone walking *past* the firewall with their laptop that they've used unprotected on the public internet, gotten infected, and then brought into the office. I've seen this happen, and then containment starts to become a nightmare.
Patching is difficult too.. if you don't have software to push the updates, you have to visit. Users aren't always on the same site, or even the same country. And although you might be able to cover 90% of your kit in the time before the worm hits, you still might have enough vulnerable PCs to take down the network.
Don't forget that patches are often unstable, and shouldn't be applied without some sort of testing and backout plan for critical systems.
So yes, this all takes a time, and the problem is the balance between the risk of rolling it out too quickly (without testing), and the risk of rolling it out too slowly. The risk of not rolling it out at all though is too great, 'cus it's just going to take that one user who wants to use their own ISP at home and you can kiss you backside goodbye.
Arbitrary code? (Score:4, Funny)
So how is that different from normal Windows?
had a good comment but... (Score:5, Funny)
computer: "Would you like to reboot?"
me: Of course I like to reboot all the time. Otherwise I would be running Linux.
From the horses mouth (Score:5, Informative)
tco and gartner (Score:5, Insightful)
Re:tco and gartner (Score:5, Funny)
Of course you can't run windows in a power plant! (Score:5, Funny)
Windows can't compete with the "X." They tried with "NT," thinking two more common letters (and half of "can't," "won't," and "don't") would be a natural evolutional step, but that was unsuccessful until the third version, where the name was changed to "Windows 2000." This was partially successful because the name ends in a string of zeroes, which are nearly as powerful as a single, murderous "X," but not quite. The next iteration, Windows XP, is closer, but some marketing clown thought that sticking a P on the end would improve on the threatening, eat-your-children lure of the "X" - what resulted is a GUI that looks like it was designed to fit with the Habitrail plastic tubes.
Until Microsoft can get with the program and start developing an OS whose name ends in "X," the crucial systems of the world will continue to run other operating systems. Even then, the company may find it needs to double or triple its efforts and create Windows XXX. Other OS's, however, have seen the emerging trend and are planning to look at things from the other side - the beginning of the name. YAMacOS is tentatively scheduled for a code freeze in March 2005, three months before Microsoft's Windows XXX, currently codenamed Hindenburg, is scheduled for release.
Do what I do, (Score:5, Funny)
Thank you Microsoft! (Score:4, Funny)
Software Update Services (Score:4, Informative)
Exploit by the end of the day?!?!?! (Score:5, Informative)
Kill RPC (Score:3, Interesting)
-Chris
Re:Will it screw up my laptop again? (Score:3, Insightful)
Care to explain a reason WHY? How many linux worms have there been? And of the very very few, they were all targeted at Apache (which is not part of the OS), and if we include IIS in the windows category (which has a H
Re:www.nccomp.com/whatif-1.html (Score:3, Funny)
Perspective (Score:5, Informative)
Let's do some comparisons.
The last big Linux worm out in the wild was slapper [cert.org]. Slapper took advantage of a vulnerability [cert.org] in OpenSSL which was reported on 30 Jul 02. All previous versions of OpenSSL to that date are vulnerable. This includes the SSLeay library on which OpenSSL was based (as a side note - anything based on SSLeay code could also be vulnerable).
According to this version file [uq.oz.au] it looks like SSLeay was first published 01 Apr 95. So using the same rough assumptions on the age of the vulnerable code base, both the Microsoft RPC and OpenSSL buffer overflow vulnerabilities were present for discovery and exploitation in the wild for seven years.
Of course, this is very rough. But it does add a bit of perspective.
About how long it takes for them to be exploited now. This Linux marketshare argument tends to ignore the fact that there is already a healthy installation base of Linux servers and systems... and have been for years. And it ignores that Linux does, in fact, have its own history of exploits, worms, rootkits, and other assorted tales. This is not virgin territory to Linux. And the question is not "if".
I've mentioned before [slashdot.org] that the issue with worms and Windows versus Linux/Unix systems has more to do with architecture and management than market share. Although they are arguably related.
Linux and Unix environments just do not provide the fertile ground worms need to thrive. They have existed... gone through their brief growth... and then died. At least, they do now (nod to the infamous Morris worm). Part of that could be the Unix architecture - the ability to reliably patch and control a system. But a large portion of that is simply because the vast majority of these systems are properly managed.
If / when Linux gains more desktop marketshare, it is almost a given that it will present a more fertile target for malicious code. A lot of Linux architecture tends to lend itself to a less attractive virus haven than the current Windows standard. But desktops just don't get the same attention servers do. And there are, and will likely continue to be, vulnerabilities in the Linux world - no matter how quickly they are fixed. Popular desktops with the occasional exploit and a lack of attention to update them; a more fertile ground for malware.
Keep in mind, though, that this is not just an issue of desktops. Servers still count and are also affected by the likes of Nachi and Blaster (much to the suprise and chagrin of some of our admins).