[unisog] [dc-sage] Code Red mutated? (fwd)

Paul L Schmehl pauls at utdallas.edu
Mon Aug 6 23:07:40 GMT 2001

Comments inline.

--On Monday, August 06, 2001 2:21 PM -0700 Peter Van Epp <vanepp at sfu.ca> 
>	 To which I'd reply probably very true (since I don't know the Microsoft
> Security folks), but the security folks aren't all nor apparantly an even
> very  important part of Microsoft. The heaviest uphill battle they seem
> to be facing is against the Microsoft developers/marketing people not the
> users.

There's no doubt that they haven't won the battle yet, but they also aren't 
going to give up.  And you're absolutely right that the corporate culture 
at MS has to change.  I fully expect it to.  Many of you have probably 
heard of David LeBlanc (one of the principle programmers of ISS RealSecure 
and a frequent contributor to NTBUGTRAQ and bugtraq.)  He came on board at 
MS Security almost a year ago.  That should give you a sense of how serious 
they are.

> Take apache as an example. It runs on NT, last I heard it was
> around %40 of the deployed web servers on the net. Seen a worm the
> exploited apache but not IIS (cross site scripting I believe hits both
> although I'm not web expert)? Seen exploit after exploit against apache?
> I haven't. To me this would say a reasonably  stable web server isn't
> impossible.

It says the same to me.  But Apache is not without its problems, as the 
recent thread about directory traversal (in bugtraq) shows.  Nobody'd 
perfect.  MS is just less perfect than others perhaps.

> If apparant rampant featureitis was swapped for product
> testing and security reviews before shipping by the people that are
> supposedly experts they we wouldn't have to be concerned that non experts
> don't see the need to patch a product that someone sold them as
> supposedly working and one that installs stuff such as iis by default
> whether the user knows it or not.

All stupid things in my view, and things for which MS should be (and is) 
roundly criticised.

> I'd also point out that when
> Microsoft's own update web site gets hit by the worm is that a customer's
> fault or an indication that the product is so poorly implemented that
> even supposed professionals can't operate it properly?

I'd be more inclined to say that it's a clear indication of the problem 
that I'm trying to get at here.  That people just don't have a serious 
enough concern for security.

Keep in mind that MS is a huge company with a lot of employees.  As all of 
us should understand fully (being in edu), you can't possibly control 
everybody all the time.  No amount of preaching will get all the troops in 
line.  Hopefully, whoever allowed the windowsupdate site to be hacked by 
the worm was either severely reprimanded and/or reassigned.

>  I know what my
> opinon on that subject is.
>	 This is without even mentioning Outlook Distress's fine record on the
> email virus front (against for instance Eudora which we mostly run). I'm
> sorry  but I don't agree that the customer is at fault here (other than
> by buying  Microsoft, but hey whats a non expert to do? They are the
> market leader).

I'm not saying the customer is at fault.  I'm saying the customer must 
admit to and share some of the blame.  I'd be willing to bet that you keep 
your *nix boxes patched.  How long before the Poisonworm came out had you 
patched all your boxes against the sadmind exploit?  On the Windows side of 
the house, there isn't this same diligence (or even awareness) for security.

I recently read a thread in the focus-ms group (securityfocus.com) where a 
guy asked if anyone had ever seen a MS box that got hacked "like a Unix 
box".  Now that displays a real naivete, but I don't think it's unusual on 
the Windows side, both users and admins.

Our own admins constantly complain about me being "too paranoid".  (As if I 
care.  I still bug them to patch.)

>  As much as I'd like it to be so Unix isn't the answer for
> the masses either. I will disclaim that this is my personel opinion on
> this subject (as I should have on the last one on this subject). Despite
> all of this I've been reasonably lucky. We've had only around 20 or so
> machines out of our 8 to 16 thousand machines (depending on whether you
> include our dial up users or not some of  whom have been infected) but
> its still a pain in the butt. I hate to think what would be happening if
> we were a heavily Microsoft campus.
We had 40 boxes compromised by Poisonworm.  Many were "newly discovered" 
boxes.  We had 10 from the first round of Code Red (hey, we're improving.) 
And one from the second round (some TA figured out how to install IIS on 
But we've had Linux boxes with default installs hacked as well, and I'm 
sure you have too.  My whole point is that attitudes about security need to 
change.  We can't change what the vendor sends us.  And we can't change 
what people buy, much as we'd like to.  But we'd damn sure better change 
our attitudes about security and start educating our campuses about the 
dangers, or the future will be very bleak.  We'll spend all our time 
chasing hacked boxes and cursing at the darkness.

Paul L. Schmehl, pauls at utdallas.edu
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member

More information about the unisog mailing list