Re: NIMDA, how to stop it

["Robin S. Socha" <robin-dated-1010510633.e46d31 () socha net>]

* Ryan Russell <ryan () securityfocus com> writes:
> On Fri, 4 Jan 2002, Robin S. Socha wrote:

[netbios shares]
> > Again: iff this admin is using broken software.

> Deepnds what you mean by broken software.  If you mean Windows in
> general.. there are plenty of unix worms as well. 

The point you were trying to make was that an admin running Windows
logged into the infected system and infects the PDC. I cannot see the
connection to Unix worms. I also cannot see the similarities between
Nimda and the Unix worms I know of. Maybe I'm too stupid to understand
http://www.cert.org/advisories/CA-2001-26.html but to me this does not
look like a worm but a combination of worm, and virus.

> If you mean the one hole that Nimda uses.. even with that patched, people
> still click on attachments, make bad choices when their browser asks them
> to choose, etc..  

Iff you allow them to do that, yes. Or if their software is fundamentally
broken as in 
,----
| Due to a vulnerability described in CA-2001-06 (Automatic
| Execution of Embedded MIME Types), any mail software running on an x86
| platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except
| IE 5.01 SP2) to render the HTML mail automatically runs the enclosed
| attachment and, as result, infects the machine with the worm.
`----

> The only thing special about Windows is that it has most of the
> market share.  

That is incorrect. While your typical Unix usually leaves a lot to be
desired in the privilege sector, Unix *users* don't usually run with
super user rights.

> If Linux wins, then the majority of worms will be written there.  The
> security model won't make a difference, there are tons of local root
> exploits.  

FUD, Ryan. But I'll gladly follow you along a tour of "tons of root
exploits on Robin's OpenBSD box" - just let me know and I'll give you
shell...

> Your average desktop user won't put their patches on no matter what OS
> they run. 

Therefore, the world wants client/server with admins fixing stuff for
their users.

> It's the diversity (read: running a less popular OS) that makes you
> safer, not that one is better than another.

That, Ryan, is a lie, and you know it. You are making an easily disproven
claim here, namely that, say, OpenBSD is as insecure as Windows. If it is
that simple, please show us your remote root exploit for OpenBSD and get
really famous. Replace OpenBSD with any well maintained Unix, it's just
that "4 years without a remote exploit in the default install ended by
Ryan" has such a nice ring to it.

> > Iff you allow your users to download and execute code on their
> > workstations. Why would you? Tax money. Spent. Wrong.

> You mean web surfing?  Yes, most schools allow that.  You can get
> Nimda by simply visiting a website.  If you've got the hole, you get
> it instantly.  

Provided you are running a broken browser and have your security settings
at "idiot" level.

> If you're patched, then the student has to click on "yes" to be
> infected.

How come you allow your users to do that? Execute unknown code locally,
I mean? Is that part of your security policy?

> > > Desktop AV is the only thing that stops the bulk of the process.
> >
> > Incorrect. If anything, it will stop this _one_ process. It does not
> > eliminate the problem.

> The problem under discussion (in my note), was being re-infected by
> known variants of Nimda.  Desktop AV, used properly, eliminates that
> problem.

With a time window of up to 48h or more. Therefore:

> > hour window is good for millions of mails. Which part of "this is not
> > a solution, it's not even a kluge, it simply *does* *not* *work* -
> > have the vendor fix the software or get rid of the software" do you
> > have difficulty in understanding?

> As explained above, what I have difficulty understanding is how
> changing software makes one bit of difference.

Software broken. Exploit unavoidable. Remove software. No exploit.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards