Microsoft’s quick response to network worms….



This is an ironic title because frankly, Microsoft has seemed to be slow in solutions for the recent zotob worm. Of course, they announced the vulnerability and accompanying update to solve the issue to begin with, but after the virus started propagating what do we see from Microsoft? They have a page titled What you should know about Zotob



Their main page has a big add for a free trial of Office, another big add encouraging you to upgrade your server, an even bigger add highlighting different music players and a thin line at the bottom in relatively small print and plain text (smaller by far than the ads) titled What You Need to Know About the Zotob.A Worm. As of this writing it is rated as a low threat (although it allows for remote control of a pc?) and they have only listed variants A-C while most virus vendors are already talking about .D .E and .F (and now .G)

Their malicous software removal tool has not seen an update in over a week and a half, so they offer no automated removal tool. (August 9 was the update along with their security fixes for the month.) They do give manual instructions for the A-C variatns in their malicious software database. The fact is though that they are lagging behind the antivirus vendors in providing solutions.

A little over a year ago, Microsoft bought an antivirus company (a GOOD antivirus company.) I used one of their products on a linux mail server I administer. They promptly killed off the linux server flavors and when the subscription for updates expired so did my use of the product. Given that they are the single most dominant software company in the world isn’t it funny that they can’t seem to get a removal tool out the door quicker than x y and z antivirus company?

Beyond that it boggles my mind WHY plug and play which is focused on LOCAL hardware detection had to have a network capable call.

Now this current worm isn’t as widespread as it might seem. (When the media is affected that magnifies the seeming impact.) But, about half of business workstations run Windows 2000 still. I’m just wondering if and when Microsoft really will get serious about security.

Now, I know they’ve said they have refocused on security but I’ll ask a few things. How is it that vulnerabilities can be held and released one Tuesday a month. My perspective is, if you know about a bug that could let someone remotely exploit a system you get the announcement and fix out as soon as possible. One of these days a virus is going to beat Microsoft to the punch and the consequences are going to be pretty rough. Now in all fairness Windows 2000 was probably in design stages in 1997 so there are some fundamental architecture issues that perhaps cannot be significantly solved. Microsoft at some point should bite the bullet on compatibility and venture to redesign/rethink the system from a security standpoint. Their incremental changes are maintaining compatibility, but at the expense of a spaghetti of vulnerabilities hidden in absurd thoughts (pnp receiving data from the network.)

The fact that a security patch on one thing can affect several other pieces of software is a fact of life. Microsoft needs to approach the concept of patches differently. Maybe design a patch so that it can be easily rolled back, or that a vulnerable unpatched service can be run “in a sandbox” that can’t escape to the rest of the system.

Over at the security fix, Brian talks about the recent worm event and points out among other things that we’ll have this one with us a while. (We still have many of the old worms still active online.) Among other things he reminds us it was 5 months after the blaster worm that Microsoft offered a removal tool. (There’s snappy service for you….) He also points out that there have been times that Microsoft has put some of it’s cash to use and offered rewards for the arrest of Virus writers. This is something that they should seriously revisit as it seemed to pay off. The only problem is they only stepped up with money when a virus was an extreme embarrasment.

I think this last point is a sign that they’re still not serious about dealing with the security problem that they’ve brought us to. They need to PROMINENTLY display information about vulnerabilities on their main corporate page and use their power to accomplish something significant in the war against worms and viruses.

Until then I don’t foresee leaving linux as a desktop platform because it puts more of the security of it in my hands and not up to the whims of the manufacturer… I run as a user not as an administrator, this mitigates a lot of threats. If there is a server that’s particularly exploitable it can be run in a chroot’ed environment. I have more control over what services run and what services do not. In Windows there are sometimes peculiar connections between various services.

There is an age old debate about “if Linux had 90% market share it would have just as many worms…” I don’t think that if 90% of the market were running Linux (or a combination of Linux and Mac which is really a BSD based cousin), that we would see these kinds of outbreaks. The main reason is because there are so many different varieties of linux, there is an entirely different security model. (Componentized) Additionaly there are many different implementations of various software that could be vulnerable.

This article gives a good overview of where the writer stands in that age old debate. Among other things he points out that more linux machines make up the backbone of the internet than windows machines which would seem to counter the “if there were as many linux machines” claim. I would think network backbone machines would make a more interesting target than Mom’s desktop PC. It’s an interesting read and worthwhile if you’re thinking about a switch (even if you’re not).

   Send article as PDF   

Similar Posts