[unisog] [dc-sage] Code Red mutated? (fwd)

Peter Van Epp vanepp at sfu.ca
Mon Aug 6 21:21:31 GMT 2001

> I happen to know the Microsoft security folks personally, and I can assure 
> you that they care deeply and are working very hard to improve.  But 
> they're fighting an uphill battle when their customers won't do their job.

	To which I'd reply probably very true (since I don't know the Microsoft
Security folks), but the security folks aren't all nor apparantly an even very 
important part of Microsoft. The heaviest uphill battle they seem to be facing
is against the Microsoft developers/marketing people not the users. Take apache
as an example. It runs on NT, last I heard it was around %40 of the deployed
web servers on the net. Seen a worm the exploited apache but not IIS (cross
site scripting I believe hits both although I'm not web expert)? Seen exploit
after exploit against apache? I haven't. To me this would say a reasonably 
stable web server isn't impossible. If apparant rampant featureitis was
swapped for product testing and security reviews before shipping by the people
that are supposedly experts they we wouldn't have to be concerned that non
experts don't see the need to patch a product that someone sold them as 
supposedly working and one that installs stuff such as iis by default whether
the user knows it or not. I'd also point out that when Microsoft's own update
web site gets hit by the worm is that a customer's fault or an indication that
the product is so poorly implemented that even supposed professionals can't
operate it properly? I know what my opinon on that subject is.
	This is without even mentioning Outlook Distress's fine record on the 
email virus front (against for instance Eudora which we mostly run). I'm sorry 
but I don't agree that the customer is at fault here (other than by buying 
Microsoft, but hey whats a non expert to do? They are the market leader). As
much as I'd like it to be so Unix isn't the answer for the masses either.
I will disclaim that this is my personel opinion on this subject (as I should
have on the last one on this subject). Despite all of this I've been reasonably
lucky. We've had only around 20 or so machines out of our 8 to 16 thousand
machines (depending on whether you include our dial up users or not some of 
whom have been infected) but its still a pain in the butt. I hate to think
what would be happening if we were a heavily Microsoft campus.

> For example, the ISAPI vulnerability that Code Red exploits was patched 
> almost a full month prior to the first infection.  The relative path 
> exploit that the Code Red II worm uses to active its trojan was patched 
> over a year ago.
> If people won't run the patches and Service Packs in a timely manner, what 
> is MS supposed to do?  Name a vendor other than Red Hat and Debian that has 
> made patches as easy as Windows Update makes them.
> The problem is two-fold:
> 1) People with no ethics who have no qualms about breaking in to other 
> people's equipment
> 2) IR folks and individuals who, for whatever reason or excuse, won't 
> update their equipment.
> The first isn't fixable.  The second is.
> --On Monday, August 06, 2001 10:46 AM -0700 Peter Van Epp <vanepp at sfu.ca> 
> wrote:
> >	 I expect the liability issues would be horrendous. What if your fixit
> > worm screwed up with some particular configuration and destroyed the
> > machine instead of fixing it? You can't be sure there isn't such a
> > configuration with the breadth of systems out there. If you are
> > Microsoft, you have deep sueable pockets and I expect are used to bad
> > publicity about security because you  get so much of it and apparantly
> > care so little: "iis the NT root kit posing as a web server"  ...
> >
> > Peter Van Epp / Operations and Technical Support
> > Simon Fraser University, Burnaby, B.C. Canada
> >
> >>
> >> Is there a point when it would just be easier to write the Red-fix worm.
> >> Does patch by force ever make sense.  You think someone at micro$oft
> >> would do it just for "damage control".
> >>
> >> (the patch would probably open ten new holes)
> >>
> >> 	--Mike
> >> ___________________________
> >> Michael Lang    mlang at lanl.gov
> >> Los Alamos    National Laboratory
> >> ph:505-665-5756,     fax:665-5638
> >> MS B256, Los Alamos, NM 87545
> >>
> >>
> >>
> >
> Paul L. Schmehl, pauls at utdallas.edu
> http://www.utdallas.edu/~pauls/
> Supervisor, Support Services
> The University of Texas at Dallas
> AVIEN Founding Member

More information about the unisog mailing list