Full Disclosure mailing list archives
Re: It's not that simple... [Was: Re: Disney Down?]
From: Micheal Espinola Jr <michealespinola () gmail com>
Date: Wed, 17 Aug 2005 14:46:44 -0400
This issue effects XP and W2K3 systems as well. I don't see the argument of W2K being "on the back burner" as having any relation to this thread. Regardless of "a LOT of Windows 2000 out there...", these companies weren't bitten the same day the initial exploit was released. 6 days is plenty of time to have tested compatibility and to distribute the patch. PnP is not a show stopper when it comes to patch compatibility testing - especially considering the fact that the exploit allows for remote code execution and elevation of privilege. Perhaps certain people need to learn or take a refresher course of what that exactly implies. And I'd say it is just that simple when you consider the fact that San Diego County waited to install the patch *the night after* they got hit by the worm. *That's* why organizations like San Diego County, with ~12,000 Win2k hosts, were bitten so badly. Greg Smith, the county's assessor, recorder and clerk, said "As long as we're up (today), we'll be fine" Greg Smith is a thinking much too lightly of the situation. Their systems just got hit with an exploit that allows for remote code execution and elevation of privilege. If I was him, I would be very concerned about data theft, and performing network wide audits. "Yesterday's crash marked the third time in recent weeks that significant computer problems have affected county government." Well, enough said about Greg Smith or whoever manages SDC's systems... Lets take a look at the ISS advisory that makes a respectful analysis of the phrase "code execution and elevation of privilege": "Successful exploitation of this vulnerability could be leveraged to gain complete control over target systems, and might lead to malware installation, exposure of confidential information, or further network compromise. Due to the widespread use of the affected operating systems and the critical nature of component affected, it is likely that servers and desktops used for a wide variety of purposes are vulnerable to this issue." The initial exploited fault aside, I see no excuse for this. On 8/17/05, Fergie (Paul Ferguson) <fergdawg () netzero net> wrote:
It's not that simple. Why such success with a worm targeted at specific vulnerabilities in Win2k? I'll tell you why -- the answer is spelled out (correctly) in an article written by Ina Fried in a June 28th, 2005, C|Net News article entitled "Windows 2000 moves to the back burner", which discussed Microsoft's end-of-life support for the OS platform. Here are a couple of key excerpts: [snip] Microsoft on Tuesday issued what is expected to be its last significant revision of Windows 2000. The software maker released what it calls an Update Rollup for the 5-year-old operating system, which is due to shift at the end of this month from receiving mainstream support to extended support. Microsoft does not generally add features to a product under extended support, and the Update Rollup is largely a collection of previously released patches as opposed to a batch of new features. In addition to already released fixes, the collection "may contain fixes for non-public low- and moderate-level security issues that did not warrant individual security bulletins," a Microsoft representative said. [...and:] Although Windows 2000 has been followed by several other Windows versions, the software remains extremely popular in corporations and small businesses. It still accounts for nearly half of all Windows-based business desktops, according to a recent survey by AssetMetrix. [snip] http://news.com.com/Windows+2000+moves+to+the+back+burner/2100-1016_3-5766696.html So there you have it -- there's still a LOT of Windows 2000 out there... Having said that, you also have to realize that from the time the MS05-039 vulnerability was disclose (and the exploit code was released the same day), to the time that very large enterprises had to deploy it was very, very short compared to threats of the past. That's why organizations like San Diego County, with ~12,00 Win2k hosts, were bitten so badly. http://www.signonsandiego.com/news/metro/20050817-9999-7m17worm1.html It's just not that simple... - ferg -- Micheal Espinola Jr <michealespinola () gmail com> wrote: Thanks for correcting my spelling error. You mention that this issue "will have little or no presence on consumer systems", but you do realize that you are writing for the "Enterprise News & Reviews" magazine, eWeek - right? You also realize that MS05-039 effects the current "consumer" version of Microsoft Windows (aka Windows XP) - right? You also say, "If it had been International Paper or some company like that rather than media outlets I suspect it wouldn't be getting all this attention". While this is likely true, this exemplifies the need to take security matters more seriously. MS05-039 was issued on August 9, 2005, and major companies were still exploited 6 days later. Your own story emphasizes the lack of consideration that is still being given to security vulnerabilities, even though Microsoft is continuously scrutinized at a product level for what is increasingly related to poor administrative and security practices. Applying this particular patch takes mere moments to download (a 500-600k file depending on your OS), moments to install, and a recommended reboot (although only 3% of the systems I personally patched technically required it). The entire procedure for patching a single system would require less than 5 minutes to perform (omitting the time of the reboot). Distribution of this patch on scale is also relatively trivial for someone whose position it is to do it. Trivializing this (or any) security patch is quite a gamble. As Security Center Editor for eWeek, it surprises me that you would take such a position. Any vulnerability that would allow for remote code execution and elevation of privilege should be treated as a top priority, from both internal and external attack vectors. An issue such as this should not be treated as a likelihood; it should be treated as a possibility. When you think in this manner, your priorities change. I'm not trying to badger you, but in light of the Disney, CNN, ABC, and The New York Times mishaps (amongst others), I must admit that I'm glad I don't follow your column or style of advise. On 8/17/05, Larry Seltzer <larry () larryseltzer com> wrote:"So patch your systems, but don't miss your kid's play in order to do it.We've seen a lot worse than this in the past."Brilliant advise[sic]!Yeah, clearly I timed the column badly, but I still think there's more smoke than fire on this outbreak. If it had been International Paper or some company like that rather than media outlets I suspect it wouldn't be getting all this attention. I also think it's fair to say that when it dies down, relatively soon, it won't achieve the endemic status of Blaster and Sasser because it will have little or no presence on consumer systems. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/
-- ME2 <http://www.santeriasys.net/> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- It's not that simple... [Was: Re: Disney Down?] Fergie (Paul Ferguson) (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Micheal Espinola Jr (Aug 17)
- RE: It's not that simple... [Was: Re: Disney Down?] Geo. (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Micheal Espinola Jr (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Ron DuFresne (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] fd (Aug 18)
- Re: It's not that simple... [Was: Re: Disney Down?] Nick FitzGerald (Aug 18)
- Re: It's not that simple... [Was: Re: Disney Down?] Ron DuFresne (Aug 22)
- Re: It's not that simple... [Was: Re: Disney Down?] James Tucker (Aug 19)
- Re: It's not that simple... [Was: Re: Disney Down?] Barrie Dempster (Aug 19)
- RE: It's not that simple... [Was: Re: Disney Down?] Geo. (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Micheal Espinola Jr (Aug 17)