Firewall Wizards mailing list archives
Re: NIMDA, how to stop it
From: "Robin S. Socha" <robin-dated-1010510633.e46d31 () socha net>
Date: Sat, 05 Jan 2002 12:42:58 -0500
* Ryan Russell <ryan () securityfocus com> writes:
On Fri, 4 Jan 2002, Robin S. Socha wrote:
[netbios shares]
Again: iff this admin is using broken software.
Deepnds what you mean by broken software. If you mean Windows in general.. there are plenty of unix worms as well.
The point you were trying to make was that an admin running Windows logged into the infected system and infects the PDC. I cannot see the connection to Unix worms. I also cannot see the similarities between Nimda and the Unix worms I know of. Maybe I'm too stupid to understand http://www.cert.org/advisories/CA-2001-26.html but to me this does not look like a worm but a combination of worm, and virus.
If you mean the one hole that Nimda uses.. even with that patched, people still click on attachments, make bad choices when their browser asks them to choose, etc..
Iff you allow them to do that, yes. Or if their software is fundamentally broken as in ,---- | Due to a vulnerability described in CA-2001-06 (Automatic | Execution of Embedded MIME Types), any mail software running on an x86 | platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except | IE 5.01 SP2) to render the HTML mail automatically runs the enclosed | attachment and, as result, infects the machine with the worm. `----
The only thing special about Windows is that it has most of the market share.
That is incorrect. While your typical Unix usually leaves a lot to be desired in the privilege sector, Unix *users* don't usually run with super user rights.
If Linux wins, then the majority of worms will be written there. The security model won't make a difference, there are tons of local root exploits.
FUD, Ryan. But I'll gladly follow you along a tour of "tons of root exploits on Robin's OpenBSD box" - just let me know and I'll give you shell...
Your average desktop user won't put their patches on no matter what OS they run.
Therefore, the world wants client/server with admins fixing stuff for their users.
It's the diversity (read: running a less popular OS) that makes you safer, not that one is better than another.
That, Ryan, is a lie, and you know it. You are making an easily disproven claim here, namely that, say, OpenBSD is as insecure as Windows. If it is that simple, please show us your remote root exploit for OpenBSD and get really famous. Replace OpenBSD with any well maintained Unix, it's just that "4 years without a remote exploit in the default install ended by Ryan" has such a nice ring to it.
Iff you allow your users to download and execute code on their workstations. Why would you? Tax money. Spent. Wrong.
You mean web surfing? Yes, most schools allow that. You can get Nimda by simply visiting a website. If you've got the hole, you get it instantly.
Provided you are running a broken browser and have your security settings at "idiot" level.
If you're patched, then the student has to click on "yes" to be infected.
How come you allow your users to do that? Execute unknown code locally, I mean? Is that part of your security policy?
Desktop AV is the only thing that stops the bulk of the process.Incorrect. If anything, it will stop this _one_ process. It does not eliminate the problem.
The problem under discussion (in my note), was being re-infected by known variants of Nimda. Desktop AV, used properly, eliminates that problem.
With a time window of up to 48h or more. Therefore:
hour window is good for millions of mails. Which part of "this is not a solution, it's not even a kluge, it simply *does* *not* *work* - have the vendor fix the software or get rid of the software" do you have difficulty in understanding?
As explained above, what I have difficulty understanding is how changing software makes one bit of difference.
Software broken. Exploit unavoidable. Remove software. No exploit. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The Morris worm to Nimda, how little we've learned or gained, (continued)
- Re: The Morris worm to Nimda, how little we've learned or gained William bradd (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)
- Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Christopher Lee (Jan 05)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
- Re: NIMDA, how to stop it Ryan Russell (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Ryan Russell (Jan 06)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 06)
- Re: NIMDA, how to stop it Ryan Russell (Jan 07)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)