RE: Gadi Busted In Massive Conspiracy

[Nick FitzGerald <nick () virus-l demon co uk>]

Sean Donelan to me:

> > Also, smart bad guys will ensure that they take sound steps to block
> > access to the WU servers, so that once run they prevent being usurped
> > by new MSRT updates, just as they already do with AV, etc...
> >
> > Remember, when playing in a blacklisting-controlled environment (i.e.
> > modern "known virus scanning" AV) the bad guy has the upper hand
> > becvause his code always gets to run first...
>
> That's why its important to get people with *UNMANAGED* PC's to turn on WU
> auto-update.  PC's managed by professional IT sysadmins or actively
> self-administered are not the target of WU auto-update.

Hey -- you're preaching to the choir here...

I was one of many people who tried (and failed) to convince MS that 
they MUST enable auto-update _as the default_ in XP (at least in Home, 
but we argued pretty strongly that they should make it the default 
across the board for ALL current and future OSes on the grounds that 
"competent" sys-admins would then decide if they needed it configured 
differently and the less-than-competent many (vast majority!) would at 
least be somewhat ptotected from their oen lack of clue).  We failed 
again in SP1 (though I think by then all the vaguely security aware 
folk inside MS agreed, but they failed to convince some or other 
"business manager" -- I suspect "imagine the bandwidth bill" rang out 
in response to these suggestions...).  By the time it came to SP2 they 
had learned that maybe we had a few clues about we were talking about 
all along, and were fighting a dirty PR campaign trying to spin the 
stupidity of their earlier poor decisions on this and its resulting 
worm-fests...

> WU should "run first" and install patches or updates before the exploits
> start appearing after the public announcements (0-day is still a problem).

Absolutely...

> The best AV is to eliminate the vulnerability by preventitive medicine,
> rather than trying to cure the machine after its infected.  It would be
> great if software had no vulnerabilities, but absent that, the next best
> thing is effectively patching as many machines as soon as possible.

Well, it's not AV's job to eliminate and prevent vulnerabilities (other 
than in their own products).  That is the responsibility of the OS and 
application developers in the first instance, and would be greatly 
assisted if large corporate buyers started factoring security and 
integrity assurance issues into their RFIs and, ultimately, into their 
supply contracts.

> Nevertheless, WU auto-update won't help as much with the self-infect
> vectors.  ...

...which is primarily what AV does deal with (or is supposed to).

Viruses need not include any form of vulnerability exploitation.  Those 
that do will, all other things being equal, tend to have better rates 
of spread, etc, but that is independent of their virality per se.  
Virality is a function of system integrity failure, and historically we 
have done an abysmally poor job of designing integrity management and 
assurance into (popular) computer systems.

> ...  Once you are owned, I wouldn't trust MSRT or any AV product to
> completely restore a compromised computer because you never know what you
> don't know.  The MSRT is an "air drop" to help control the worst
> infections amoung the unmanaged PC population.  MSRT is not a replacement
> for other security products or IT management.

More preaching to the choir...    8-)


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.