Blaster rewrites Windows worm rules

The Register ^ | Aug 14th, 2003 | John Leydon

[yhwhsman]

Thought you might like to know who is at risk from the Blaster worm, as well as how to go about preventing infestation (virus' infect, worms infest?).

Recently it was learned that the computers of the GNU Project had been hacked in March, but evidently this was because they allowed outside users access as local users. Macintosh's and Linux/Unix/*BSD systems are still the most secure.

BTW, a very good firewall can be downloaded from Zone Labs. And Gibson Research Center has an online scanner called Shields Up! that can test your computer for online vulnerabilities.

Yhwhsman

[yhwhsman]

A story on the GNU Project appears here. Thought I had it linked in my comment. :)

Yhwhsman

[StatesEnemy]

WARNING!
The Service Packs and Updates and documentation distributed on the Microsoft® Windows® Web site are provided for your personal use and may not be distributed. The entire risk arising out of the use or performance of such products and documentation remains with you. In no event shall Microsoft or its suppliers be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the products or documentation, even if Microsoft has been advised of the possibility of such damages.

[D-fendr]

Microsoft patch process called into question:

AUGUST 14, 2003 ( COMPUTERWORLD ) - Microsoft Corp.'s Windows Update patch management program has a critical shortcoming that in some cases could fool users into thinking their systems are properly patched against some vulnerabilities when in fact they aren't.

That warning comes from Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp.

But Stephen Toulouse, a security program manager at Microsoft, strongly disagreed with Cooper's claim about Windows Update, calling it unfounded.

According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch. Until last night at least, Windows Update relied only on the "registry key" information associated with each patch to determine whether a system had a specific patch. When a user goes to the Windows Update site, it first scans the user's system for such registry keys to determine which patches are installed on the system.

The problem is that a system may have the registry keys associated with a particular patch even though the patch itself hasn't been installed on the system. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it, according to Cooper.…

[Leroy S. Mort]

What You Should Know About the Blaster Worm and Its Variants

[Leroy S. Mort]

This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it, according to Cooper.…

I've installed hundreds of patches on scores of computers and never ever encountered this problem. Rare....very rare.

[RedBloodedAmerican]

Ingenious worm. I wonder if hactivismo was behind it.

[Paul C. Jesup]

And Mac, Linux, OS/2, eComStation, and Unix computers are immune to this Microsoft-specific vulnerability.

Don't say that too loudly, current Mac, Linux, OS/2 can all be traced back to Unix software that have suffered from Unix based computer viruses and worms.

[Nick Danger]

This is interesting... I found this here.

Microsoft no longer limits its liability when a customer suffers damages due to gross negligence or intentional misconduct on Microsoft's part, said Morris Kremen, associate general counsel at Microsoft, in an interview on Tuesday.

The improved legal protection on Microsoft products are part of changes the company made earlier this year in its volume licensing program, according to Kremen.

In older contracts, Microsoft only agreed to pay legal fees and be accountable for charges of gross negligence or intentional misconduct up to the value of the software a customer bought. Software buyers did not care for that and often protested those provisions in contract negotiations, Kremen said.

"Customers were not happy with that as a fair allocation of risk and they thought it was too protective of Microsoft," Kremen said.

The changes to the licensing policies went into effect first in the U.S. in March and were introduced in the rest of the world in the months after that. "It is about risk and giving the customer the peace of mind they were asking for," Kremen said.

I think what this means is that Microsoft has agreed to be liable for any amount of damages caused by gross negligence or intentional misconduct on Microsoft's part.

There has got to be some ambulance chaser out there who can fashion what happened here into a gigantic class action suit. The lawyer would have to persuade a jury that all this stuff happened due to Microsoft's "gross negligence," but juries have awarded huge sums to smokers who were told on every pack that the Surgeon General said smoking could kill you. So a clever lawyer might well relieve Microsoft of a few billion over this.

[Leroy S. Mort]

The lawyer would have to persuade a jury that all this stuff happened due to Microsoft's "gross negligence,"

A tough sell since the patch to avoid this worm has been available from Microsoft since the middle of July and the worm itself didn't show til this week.

[sigSEGV]

Microsoft is not negligent in writing bad code, but they are negligent for stupidly having a network available service running on every PC with System level access that 99% of users don't need.

[Nick Danger]

A tough sell since the patch to avoid this worm has been available from Microsoft since the middle of July

It does no good to try the case here in the forum. The Surgeon General Warning had been on every pack of cigarettes for twenty years. That did not stop several juries from holding tobacco companies responsible for other people's failure to heed the warnings. Either some lawyers will do this, or not, depending on whether they see billions at the end of the rainbow. Worldwide, Microsoft's damages could easily run to 8 or 10 billion from all the havoc caused. That has got to have a few of those trial lawyers salivating.

[sigSEGV]

Oh, and to make you all sleep better -- an interesting take on the blackout.

http://www.securityfocus.com/archive/1/333521

[Leroy S. Mort]

Worldwide, Microsoft's damages could easily run to 8 or 10 billion from all the havoc caused.

My money says MS doesn't have to pay a dime of "damages" from this.

[MarkL]

Microsoft is not negligent in writing bad code, but they are negligent for stupidly having a network available service running on every PC with System level access that 99% of users don't need.

Microsoft has a long history of making things easy to use and administer, but nightmarish for security. Examples include the way everything is integrated, making both IE and Outlook Express extremely vulnerable to attacks and infections (although things are getting better), the way file system security in NT/2000 systems worked (all rights is the default), etc... At least in Win2003 server, all the services are turned off by default, and you have to manually turn the services on if you want or need them.

Mark

[shadowman99]

A co-worker was telling me his system was infected. He has a win2000 box behind a Lynksys router/firewall. He has remote logon turned off at the router. How could such an infection take place? Is he high?

[supercat]

This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it, according to Cooper.

I've installed hundreds of patches on scores of computers and never ever encountered this problem. Rare....very rare.

Rare for now. What about when worms 'phone home' about what registry keys they need to adjust to make a user think the relevant patches are already installed?

[Southack]

The legal angle for MicroSoft versus viri/worms/hackers is like the legal angle for Ford and General Motors versus car thieves (aka real world hackers, as in, they hack through your windows and into your car).

If GM doesn't make a good car alarm, or if GM doesn't turn on your car alarm for you even when you leave your own car unlocked, should you be able to sue GM for damages when your car gets stolen and you lose business because you don't have your car for that all important meeting?

Or...and here's a novel idea...should you be able to sue the hacker/thief for her illegal hacking/theft?!

Who is ultimately responsible? The thief/hacker? The corporation/manufacturer? The owner/user?

Of those parties, which committed the illegal act?

[Nick Danger]

Who is ultimately responsible? The thief/hacker? The corporation/manufacturer? The owner/user?

What difference does it make? The lawyer will go after the deep pocket. We have a whole industry now of lawyers who go after deep pockets. Spill your coffee on your private parts? It's not your fault; it's McDonalds' fault. Fall off a ladder? It's the ladder manufacturer's fault. These lawsuits win all the time. Do they make any sense? It doesn't matter.

To say it can't happen here is wishful thinking. Of course it can. Kara Walton sued a nightclub after she fell out of a bathroom window and had her two front teeth knocked out. She won $12,000 plus dental expenses. She fell from the window, which she was using to sneak into the club to avoid the $3.50 cover charge. Who performed the illegal act? She did. Who paid? The nightclub. This crap happens every day.

[Leroy S. Mort]

Rare for now. What about when worms 'phone home' about what registry keys they need to adjust to make a user think the relevant patches are already installed?

Should that occur, I'd expect MS to go to other means instead of registry querying to validate hotfix installs. In fact, freeware already exists which does this.