Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Microsoft

Estimating the Time-To-Own of an Unpatched Windows PC 424

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."
This discussion has been archived. No new comments can be posted.

Estimating the Time-To-Own of an Unpatched Windows PC

Comments Filter:
  • by Lord Lode ( 1290856 ) on Tuesday July 15, 2008 @01:49AM (#24192499)
    I've heard similar statistics in the past already. How is this statistic measured? Is it the time after you connected your ethernet cable or modem and doing nothing at all but wait, or is it the time after you opened a browser and let an "average" user surf the internet and open things? Is it a problem if you need 4 minutes to install all windows patches and updates?
    • by Spad ( 470073 ) <slashdot@ s p a d . co.uk> on Tuesday July 15, 2008 @02:04AM (#24192575) Homepage

      I know that last time I put a new install of XP SP2 straight onto the internet without firewall or antivirus (A tiny oversight - plugged in the wrong cable) it was owned in under 5 minutes without any interaction on my part.

      • by JimboFBX ( 1097277 ) on Tuesday July 15, 2008 @02:20AM (#24192669)
        The fact your firewall was disabled shows you already did some interaction.
        • by Alpha Whisky ( 1264174 ) on Tuesday July 15, 2008 @03:14AM (#24192927)
          I'd mod you funny if I had modpoints. I think he probably meant no router/firewall, Microsoft's toy firewall enabled by default in SP2 is about as effective protection as a wet paper bag would be against a rocket propelled grenade. Or for the Slashdot crowd who only understand car analogies, as good a protection as a Ford Pinto crashed into by an express train.
        • by Mistlefoot ( 636417 ) on Tuesday July 15, 2008 @04:34AM (#24193305)
          Absolutely. SP2 firewall is enabled by default.

          And from the article "This older guide was written based on Windows XP pre SP2. One of its main feature
          was step by step instructions on how to enable the Windows XP firewall."

          XP SP2 was released in August of 2004. Why are we talking about 4 year old software? Heck, Firefox 1.0 hadn't even been released yet. And Ubuntu's first release was in October 2004.

          Why is an OS older than Ubuntu or Firefox being tested? And I mean 4 years older then Ubuntu - even with SP2 it would still be older then Ubuntu or Firefox.
          • by erlando ( 88533 ) on Tuesday July 15, 2008 @04:39AM (#24193335) Homepage

            Why is an OS older than Ubuntu or Firefox being tested? And I mean 4 years older then Ubuntu - even with SP2 it would still be older then Ubuntu or Firefox.

            It could be that there is a lot of pre-SP2 install-disks out there. In the likely event of needing a reinstall you are faced with having to put a pre-SP2 XP on the net to retrieve SP2.

            • Re: (Score:3, Informative)

              by Anonymous Coward

              The best thing to do would be to download and burn an offline [microsoft.com] SP3 [microsoft.com] updater on a good PC, and install that before connecting to the net.

              Sadly this is not very well known especially amongst those who need it the most, and MS doesn't go out their way to make it very clear either. So geeks, do your duty and inform those who you suspect could use it.

              • Sadly this is not very well known especially amongst those who need it the most, and MS doesn't go out their way to make it very clear either.
                .

                I don't think it gets much easier than this:

                What Is Service Pack 3? [microsoft.com]

                Read the XP SP3 white paper.
                Steps to take before you install SP3
                Download SP3 from Windows Update
                Order SP3 on CD-ROM
                Download and deploy SP3 to multiple computers [Network Installation for the IT Professional]
                Free [basic] unlimited installation and compatibility support
                ---your choice of e-mai

          • by CastrTroy ( 595695 ) on Tuesday July 15, 2008 @05:20AM (#24193539)
            Because the last OS put out previous to Vista was Windows XP. That's why we are talking about such old software. It's only 1 version behind current. The biggest problem, is that there's a lot of people who have XP discs with no service pack incorporated. When you reinstall from these discs, and try to connect to the internet to download SP2, your computer is owned before you can even download the service pack. That's a major problem.
          • Re: (Score:3, Interesting)

            by mysticgoat ( 582871 )

            XP SP2 was released in August of 2004. Why are we talking about 4 year old software?

            For people like me, TFA was highly relevant.

            I'm now using Linux (Ubuntu) for more than 95% of my work. But I still have WinXP on dual boot since I've got a couple of image processing workflows in PaintShop Pro that I haven't developed Linux equivalents for as yet, and since my 8 color Canon i9900 only achieves its full potential (13"x17" photorealistic posters) when I use the proprietary Windows driver.

            I have not had to do a re-install of WinXP for more than 5 years. Back then, I re-installed from the o

      • by Gumbercules!! ( 1158841 ) on Tuesday July 15, 2008 @03:24AM (#24192963)
        I recall working at a university, in which every PC had a public IP address. I clearly remember a Windows 2000 server being pwned during installation. As in before the install process even finished.

        That was the last time I installed with the CAT/5 still plugged in (and yes, it was my first job)....
    • Re: (Score:2, Funny)

      How is this statistic measured?

      How long is a piece of string?

      Pretty short in this case...

    • This is about worms and such that spread across the internet, not about trojans and virusses people download. Afterall, I could surfe google for years without ever getting a single virus and go to a .ru site and be infected in seconds. No, the 4 minutes is for a windows PC directly connected to the internet (no router in between) doing nothing but being connected. What will happen to a lot of people who just bought a new computer and are using a direct connection to the internet like many a cable company
    • by Opportunist ( 166417 ) on Tuesday July 15, 2008 @03:39AM (#24193037)

      I did exactly the same kind of "research" (for a documentation about online threats for our local TV network), here is what I did.

      I installed XP SP1 (bear with me, it was the pre-Vista days), the way you got it delivered on a CD. I did nothing else (XP SP1 came without the firewall preinstalled). I turned on a network monitor to document and show what happens. Then I patched in an Ethernet cable to the local network which had unfiltered access to the internet (pretty much what the average cable user, or the average DSL user has after dialup).

      Time to infection through the RPC hole was less than 2 minutes.

      I did essentially NOTHING to faciliate it (besides, well, not having the machine patched at least to SP2), I just let the machine sit there, connected to the internet.

      In a nutshell, if you're using XP and have one of those SP1 install discs, download SP3 before you kick the system in the gutter, put the service pack on a USB stick or external drive and install it before you connect that machine anywhere.

      • Re: (Score:3, Insightful)

        by drsmithy ( 35869 )

        Then I patched in an Ethernet cable to the local network which had unfiltered access to the internet (pretty much what the average cable user, or the average DSL user has after dialup).

        The average DSL user, at least, is sitting behind a device which at the very least does NAT and probably has a firewall enabled as well.

        It's been some time since I had a cable connection and modem, but I'd be surprised if they weren't the same, these days.

      • Re: (Score:3, Interesting)

        by jamesh ( 87723 )

        I made a monumental screwup and broke the firewall (iptables on a Linux machine) in such a way that there was no filtering to one of our /24 IP addresses. The IP address belonged to a Windows server running an unpatched version of MSSQL, and Blaster was at it's peak. It took no less than 10 seconds from the time I activated the updated (broken) firewall rules to me scratching my head wondering why the router appeared completely dead.

        Blaster had infected the machine within about 10 seconds and the traffic ha

    • Re: (Score:3, Insightful)

      by Mistlefoot ( 636417 )
      Actually, Thorsten at http://honeyblog.org/archives/193-Survival-of-the-Fittest.html answers that. He states

      "Yonah, if you read the blog posting things should be more clear: "For example, we can use low-interaction honeypot such as nepenthes or amun that emulate common network-based vulnerabilities and deploy them at different locations."

      Thus we did not use native machines, but low-interaction honeypots that emulate different kinds of exploits. You can find more information about these tools at http://nepe
    • Re: (Score:3, Insightful)

      by drsmithy ( 35869 )

      Is it a problem if you need 4 minutes to install all windows patches and updates?

      It's not a problem at all if you just turn on the firewall that comes with every version of XP, or in pretty much every consumer-level cable/ADSL modem/router.

      It would be interesting to see how long default, unpatched installs of OSes like RH7 and Solaris 8 last as well.

      These sorts of articles are just flamebait. Pretty much any version of Windows XP acquired since 2004 has SP2 integrated, and this the firewall enabled by

  • Didn't the honey project provide us this exact same information a few years ago?
    • Re: (Score:3, Insightful)

      by jd ( 1658 )
      The fact that another Slashdot reader queried my insistence Windows 7 should have better host and network security is proof that there is still rampant ignorance on the subject. The fact that the time-to-pwn has not fallen over the past four years despite "security fixes" and security engines that inconvenience users and break applications is proof that the security methods employed by Microsoft are a failure. The fact that there is virtually nothing mainstream in the Windows world that compares with even t
      • Re: (Score:2, Insightful)

        by EvanED ( 569694 )

        The fact that the time-to-pwn has not fallen over the past four years...

        Pray tell what has happened to the base Windows installation over the past for years? Those security fixes you mention aren't counted in this time, so you can't claim that they aren't contributing to overall security. From the article (sort of ) it sounds like this is still the time for XP and not Vista (though since neither the summary nor either linked article actually says or anything, so I'm not sure). So why, exactly, should we hav

      • Re:Honeynet (Score:4, Insightful)

        by neokushan ( 932374 ) on Tuesday July 15, 2008 @02:36AM (#24192755)

        How can you say this shows no improvement over the last 4 years when the test subject was an UNPATCHED version of Windows?
        The article wasn't even particularly clear if it was good ol' Vanilla XP or XP SP2 or whatever.

        • Re: (Score:3, Informative)

          Comment removed based on user account deletion
          • Re:Honeynet (Score:5, Insightful)

            by neokushan ( 932374 ) on Tuesday July 15, 2008 @05:12AM (#24193515)

            Exactly. Saying an unpatched OS is vulnerable to attack is like saying an unlocked Car is liable to be stolen.
            I'm not even sure what it is they're trying to prove - that Microsoft can't bend time and space and retroactively patch ALL XP disks every time they release an update?

            This actually got me thinking, even Linux has it's vulnerabilities from time to time, but I could argue it's MORE vulnerable because of all those Ubuntu Live CD's people have lying around. I've known a few people that have resorted to one of these Live CD's in times of dire need (i.e. when windows has decided to break) and one guy even used one for a few months because his HDD died on him - but how do you patch THOSE?
            Luckily, Linux is pretty good at not getting owned so it's a bit of a non-issue at the moment, but I dare say it's only a matter of time before someone starts targeting them as well.

            • Re: (Score:3, Insightful)

              by tepples ( 727027 )

              Saying an unpatched OS is vulnerable to attack is like saying an unlocked Car is liable to be stolen.

              No, it's more like saying that a car is likely to be stolen before the locksmith has a chance to install locks.

            • Re: (Score:3, Interesting)

              by tinkerghost ( 944862 )

              This actually got me thinking, even Linux has it's vulnerabilities from time to time, but I could argue it's MORE vulnerable because of all those Ubuntu Live CD's people have lying around. I've known a few people that have resorted to one of these Live CD's in times of dire need (i.e. when windows has decided to break) and one guy even used one for a few months because his HDD died on him - but how do you patch THOSE?

              Why would you bother? A live CD can only be infected upon creation. After that, any infecti

      • Re:Honeynet (Score:4, Insightful)

        by willyhill ( 965620 ) <`moc.liamg' `ta' `kaw8rp'> on Tuesday July 15, 2008 @02:46AM (#24192815) Homepage Journal

        One question though - why exactly would I face out a machine with an unpatched OS (the "article" doesn't even mention the version), any OS?

        Especially since a $20 Linksys router solves my problems, assuming I'm unable to splipstream service packs or errata or whatever?

        If this is Windows XP, why isn't there an article on the time-to-own for an unpatched RedHat 8 install? Do I not have to go online to download the errata for that one as well? Or even the new version?

        Even with the larger number of exploits for Windows vs Linux, that doesn't mean there are no exploits for Linux. So I have 20 minutes to download my patches, instead of 5? And that's some sort of median, right? Wow, that sure sounds a lot safer. I hope I make it.

        This "metric" is like measuring how deep a machete can cut into your leg, or how much chlorine bleach you can chug before doubling over. Useful? Sure. Should you try it? Nope. With *any* operating system. Not even with any of the *BSDs, which I tend to trust a hell of a lot more than most Linux distros nowadays.

        Looks like a slow news night for Slashdot, as usual.

  • Doesn't make sense (Score:2, Interesting)

    by kaos07 ( 1113443 )

    Man this doesn't make sense. So what, are they saying that as soon as you plug in your modem to the PC thousands of different sources are already trying to infect you? Even if you don't browse? Because the point is you can download Windows Updates and you can install and update your AV with only two connections. Not sure how you're going to get infected that way.

    Of course it could just be "Windows users can't resist dodgy porn sites for more than 4 minutes". Which makes more sense. I mean, when you've just

    • by thona ( 556334 ) on Tuesday July 15, 2008 @01:57AM (#24192537) Homepage
      That makes a lot of sense - because that is exactly what happens. Tons of bots around trying to get into "known and patched for years" exploits. They jsut scan IP Address ranges for computer to come online. So, really - no browsing required. No user action required. They happily come to you. This is why a simple firewall like the one you have now on Windows (allow only outgoing connections by default) or simple NAT ALREADY raises quite a bar in security - there ARE, HAVE BEEN and WILL BE exploits that do not require any user interaction.
    • by kitgerrits ( 1034262 ) * on Tuesday July 15, 2008 @02:00AM (#24192545)

      No, this type of infection is sent to random computers all over the Internet.
      If one computer on the same IP range as you if infected, it will try to infect all computers on the same IP range and continue to try until someone either turns off the PC or formats the harddrive.

      Try installing a firewall, connecting a computer directly to the Internet (don't -do- anything, just connect it) and then Wireshark to look at your Network Interface.
      You'll be surprised at the stuff you get without asking.

    • Re: (Score:3, Insightful)

      Exactly. It used to be a real problem, and at my uni in 2003 or so, I'd insist everyone built their servers and patched them offline. Some didn't listen to me and got owned during install.

      These days, you turn on the firewall on XP SP2 or 2003 and don't have the problem. (As the OP said, just don't browse the web while you're doing a server install.)

      cheers,

      • Re: (Score:3, Funny)

        by bloodninja ( 1291306 )

        As the OP said, just don't browse the web while you're doing a server install.

        Yeah, let's see YOU install Gentoo without browsing the web.

    • by gmuslera ( 3436 )
      My firewall logs at least are pretty spammy with what are stopping at all hours.

      Not sure if my netblock is relatively quiet or active, but got 14 test of 9 different ips to 9 different ports in a random chosen 10 minutes interval. If any vulnerability was there, i had no need to browse or do anything more than just get connected to get infected/exploited/botnetted.
      • Re: (Score:3, Informative)

        by ThePhilips ( 752041 )

        Wasn't measuring recently.

        In worst times, I had seen one exploit attempt per 10 seconds on average. Since I have seen this all from pov of Linux router/firewall for sub-C net with 30 IPs, the logs were pretty messy and I had to do special script to clean syslog.

        Right now my friend was setting up for himself firewall too and was seeing about 1 exploit attempt per 1-2 minutes.

        That's Windows side.

        On Linux side this isn't much prettier. In past some botnets from South Korea were dumbly scanning who

    • What doesn't make sense to me is the editorial standards on /.

      The title should be "Estimating the 71m32pwn of an Unpatched Windows PC.

      Really, the standard is slipping.

    • by sowth ( 748135 ) on Tuesday July 15, 2008 @02:30AM (#24192709) Journal

      I'm going to jump in, because I don't think anyone explained this.

      Windows runs lots of services (server programs) by default, some of which have vulnerabilities. Some of which can't be turned off, because of the way MS programmed them. If you wonder why they are there, this is how things like filesharing works: it has a server program which will reply when someone else on the lan broadcasts asking for other shares. If someone creates specially formed packets, they can break into those vulnerable services, and you are rooted.

      There could also be vulnerablilities in the kernel (main system), but they are rare. You could also be infected if you opened up a shared folder, and someone / a program uploads a hostile program to it, and you run that program.

      This is in addition to getting infected by visiting a hostile site with an insecure browser.

      I may not have explained this very well, but hopefully you get the idea.

    • Re: (Score:3, Insightful)

      by Opportunist ( 166417 )

      What's cooking here is worms. Those pesky little things that don't wait for you to click on an infected program but use security holes in your RPC to infect you. XP pre-SP2 was notorious for such a security hole, and my firewall logs tell me that such machines are still widely in use on the internet.

      As I stated above, it took less than 2 minutes with SP1 in 2004. I should repeat that test, I wonder if it changed in the past 4 years.

      Bottom line of it all, a router for 20 bucks can already solve that problem

    • Re: (Score:3, Informative)

      by Stooshie ( 993666 )

      ... So what, are they saying that as soon as you plug in your modem to the PC thousands of different sources are already trying to infect you? ...

      Yes! Iinstall a firewall and just watch the log file. Your machine is probably scanned around once every 20 seconds by some botnet or other.

  • Offline updates (Score:5, Informative)

    by Fallen Andy ( 795676 ) on Tuesday July 15, 2008 @01:57AM (#24192533)
    For XP/Office/Vista, you owe it to yourself to use the Heise [heise.de] offline updates.

    Back in '04 the time to live was (claimed to be) around 20 minutes. I wonder what the time is for an unpatched Vista (the figures in the article are for XP). Heh - I bet '98SE survives forever (nobody would want to exploit that).

    Andy

  • The article recommends using a NAT firewall and a correctly configured personal firewall, and of course that's a good start (NAT is evil, but is generally a good starting place for devices that aren't running servers, and until you've got your system running the current patches, you don't want to be running servers at all, and even after that many client-like things work adequately behind NAT.)

    But does anybody have any estimates of how long an unpatched machine will last behind a dumb NAT firewall? Are yo

    • by totally bogus dude ( 1040246 ) on Tuesday July 15, 2008 @02:52AM (#24192853)

      You should be perfectly safe, as a dumb NAT firewall won't be sending your PC any traffic that it didn't originate. The only possible vectors would be: a) if its connection tracking code gets confused and lets in traffic which it thinks is associated with another connection but really isn't, b) bugs in the NAT firewall device (pretty much the same thing), or c) an attacker gets very lucky with spoofing connections that happen to be in the NAT table (tremendously unlikely).

      All up, the chances of anything getting through are pretty much negligible.

      The caveat is that stuff on your PC may be making connections without your knowing; and in particular, some programs may use UPnP to open a listening port for incoming traffic. This shouldn't be an issue with an out-of-the-box install.

      This is of course assuming the common NAT device setup, where you have your modem/router which gets a public IP address and then NATs all outbound traffic. Inbound traffic will hit the router and not go any further unless the user has explicitly set up forwarding rules on it.

      Pretty much everyone with broadband in Australia will be behind such a device, as this is the kind of device most every ISP recommends or sells. Not sure what the norm is elsewhere in the world.

  • by Anonymous Coward on Tuesday July 15, 2008 @02:01AM (#24192561)

    I keep hearing on /. about how slow Windows is. Now it turns out that Windows is very fast.

  • College Network (Score:2, Interesting)

    by Anonymous Coward

    I think the Time to Infection on a college network is like... 45 seconds.

  • by Toreo asesino ( 951231 ) on Tuesday July 15, 2008 @02:10AM (#24192613) Journal

    You can bundle all the patches & service-packs you want into a slipstream image and install everything at the same time.

    Otherwise, there's WSUS (http://en.wikipedia.org/wiki/Windows_Server_Update_Services).

    (Not that I disagree XP was horribly insecure when it came out)

  • by FuegoFuerte ( 247200 ) on Tuesday July 15, 2008 @02:11AM (#24192621)
    At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.

    When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.

    In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").
    • Actually, all versions of Windows since XP/SP2 (August 2004) come with the built-in firewall turned on by default. To get the "owned in 4 minutes" statistic, you need to either install an old unpatched version of XP or XP/SP1, or deliberately turn off the firewall. Which explain maybe why TFA is so light on details...
  • by ulash ( 1266140 ) on Tuesday July 15, 2008 @02:15AM (#24192639)

    The source for this post seems to be lacking on quite a few fronts when explaining how they arrived at this data.

    - (As pointed out already by numerous posters) Which version of Windows are they using?
    - What activity are they using the computer for?
    - Who are the "all" in "placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas" ?
    - How unpatched is unpatched? Is this a version of the OS that one needs to deliberately search for or if I go and buy a boxed version of the OS there is a pretty good chance it will be just as "unpatched" ?

    The "piece" raises more questions than the answers it provides.

  • by www.sorehands.com ( 142825 ) on Tuesday July 15, 2008 @02:33AM (#24192729) Homepage

    These tech people from Comcast or SBC tell you to plug your machine directly. Maybe they work for the people who run botnets?

    A spit on them. They seem to be as incompetent as the 'Geek Squad'

  • That should be Time-To-Pwn. You're welcome.
  • by petes_PoV ( 912422 ) on Tuesday July 15, 2008 @02:34AM (#24192741)
    At the end of last year (just before christmas) I reconfigured an old laptop with W2k/SP4 for use receiving weather satellite pix and acting as a weather station. Since it only has a 150MHz processor and 96MB memory I decided not to include any anti-virus or spam filtering on the box itself. It does sit behind my Netgear DG834GT, which only lets through selected ports - mainly for the benefit of the other machines I run.

    While the laptop itself has very little internet presence (just downloading patches, drivers and s/w updates) I've occasionally remote-mounted it's disk to another box that runs Norton. I've never detected any spam, viruses, trojans or other nasties.

    My conclusion is that with some basic precautions and common-sense (plus no email and only visiting "well known" websites) it's quite feasible to run a windows box for dedicated applications 24*7 without the overheads of virus protection.

  • right let's install a 5 year old linux distro and see how long it takes to get owned. it's the same thing they are putting forward here with an unpatch winXP system.

    unpatch systems with no protection are easy to infect - this is not news.

    • by Opportunist ( 166417 ) on Tuesday July 15, 2008 @04:35AM (#24193313)

      Considering that the average Linux distro from 5 (or rather, if you want to make a real comparison since they're obviously using XP SP1 to "prove" their point, 7 years) already came with an iptables/ipchains firewally built in and rather few, if any, remotely accessable services running if you don't want them to run (they ask you if you want to have SSH running and yes, should you enable a 7 year old version of SSH then you're vulnerable), I'd think XP would still lose.

      The problem is that even if you KNOW that the RPC is a deadly remote exploit vector in XP, you CANNOT turn it off during install. With Linux, at least I have the option to avoid enabling SSH or other services that I know are no longer safe.

  • Who ever sets up a windows PC with a direct internet connection? Being behind a NAT will cover the drive-by attack issue perfectly adequatly, and whilst it was it was common a few years ago for consumer broadband companies to supply USB broadband 'modems' which did connect directly, in practice now this is rare as most now use a pre-configured (generally wireless) router.

  • Whether we like it or not MS is slowly but surely on their way to strong-arming everyone into running Vista. I don't care about XP anymore. What is the TTO (time to ownage) for Vista?

    I'll believe Windows is getting more secure when I start getting less spam in my inbox.

  • ha! (Score:4, Interesting)

    by thatskinnyguy ( 1129515 ) on Tuesday July 15, 2008 @02:59AM (#24192881)
    4 minutes eh? I've seen XP installs (Pre-SP1) get owned during the install process!
  • by ptashek ( 1176127 ) on Tuesday July 15, 2008 @03:42AM (#24193053)
    I took about 2 minutes the last time I remember this was *accidentally* tested on our /16 network (XP SP2, way down in mid-2006). But this is not a Windows problem per-se. Any other OS, in a post-install state, will eventually get compromised. It's just a matter of time. Solution: build + patch + secure offline, then deploy.
  • If the internet is so f--- up that plugging a new computer onto it brings it under immediate attack, then, well, the good guys have -lost-.

    It's really time to start unplugging bad guys from the internet period, applying stricter filtering at the ISP level, and more rigidly filtering countries who don't police their networks.

    Five minutes to be attacked? The internet is LOST.

  • by Britz ( 170620 ) on Tuesday July 15, 2008 @06:11AM (#24193789)

    There are still hosting companies that offer virtual machines and even complete servers with Red Hat 7.3
    So I would be interested in the time it takes for that one to be infected.

    Do they even give patches for that any more?

    I am not trying to say Linux or Windows is safer. I am just trying to say it might not be wise to put an unpatched machine on the net without a firewall to download patches. Regardless of the os.

  • by Doc Ruby ( 173196 ) on Tuesday July 15, 2008 @09:07AM (#24195561) Homepage Journal

    If Microsoft set every fresh Windows install to connect to only Microsoft.com on the Internet until either Microsoft.com, or the console, or some other specific named/numbered host said that Windows is "safely* patched", then this race condition would not be a problem. They could allow the "patch lock" on network access to be released by the installing operator at the console, or that operator could set a pointer to some other machines allowed access, or Microsoft.com's patch servers could send a list of servers. All other network access would be locked out until someone authorized said the machine was ready to connect to the general network/Internet access.

    Such a revision should take a couple of Microsoft programmers a week or so to implement and test. Of course, if Windows were OSS, then anyone in the Microsoft developer community could patch Windows to work right. And anyone could inspect that patch to ensure that it worked right, before trusting it not to be just another security hole.

    But of course, Microsoft is so far from anything approaching real openness or modern security practices that its fundamental insecurity in an Internet environment is one of its basic features. Its most prized feature on the hundreds of millions of machines compromised worldwide, many the first time they're connected to the Internet, among the bad guys out there who love Microsoft's closed and counterproductive "security" practices even more than Microsoft loves them.

    (* OK, Windows is never "safely patched", but it's a start.)

Keep up the good work! But please don't ask me to help.

Working...