August 12, 2004 4:00 AM PDT

Microsoft's blast from the past

A year ago, the author of the MSBlast computer worm taunted Microsoft with a message in the fast-spreading program: "billy gates why do you make this possible? Stop making money and fix your software!!"

Bill Gates and company apparently took up the challenge. On Friday, Microsoft released to PC manufacturers Windows XP Service Pack 2, an update aimed at locking down customers' computers. SP2 took more than nine months to complete and contains significant security changes to the flagship operating system.

News.context

What's new:
The release of SP2, Microsoft's security-conscious update to Windows XP, comes a year after the MSBlast worm tormented PC users.

Bottom line:
The update pulls together lessons learned from major attacks on Microsoft software. Whether it will make computers as secure as customers expect it to remains unclear.

More stories on this topic

Microsoft's overhaul of the software underwent a fast shift in direction--from a focus on features to an overwhelming concentration on security--after the rapid spread of MSBlast last summer threw doubt on the operating system's protections.

The worm compromised more than 9.5 million Windows PCs by exploiting a flaw in the software that not many customers had actually patched, even though Microsoft had made a fix available.

"This time last year was a really exciting time," said Amy Carroll, director of product management in Microsoft's Security Business and Technology Unit. "There wasn't a lot of sleep involved."

The MSBlast worm hit the Internet on Aug. 11, 26 days after Microsoft published a patch for the vulnerability that the worm used to spread. But many Windows users failed to vaccinate their systems, even though there was widespread expectation that a virus would emerge from the security hole. The result: The malicious program caused enough havoc to play some part in a major power failure that affected as many as 50 million homes in the United States and Canada, though it did not cause the outage.

A year later, the release of SP2 means that Carroll and her Redmond cohorts may get at least a few hours more winks. Through changes to the Windows XP code and configuration, the update adds better security to the operating system's handling of network data, program memory, browsing activity and e-mail messages.

Hard lessons

Major virus incidents drive Microsoft to kick-start security initiatives.


INCIDENT
July to September 2001: Code Red worm and Nimda virus grab headlines.

RESPONSE
October 2001: Microsoft creates Strategic Technology Protection Program and three months later launches the Trustworthy Computing Initiative.


INCIDENT
January 2003: Slammer spreads using a six-month-old flaw.

RESPONSE
June 2003: Microsoft revamps security updates, focuses on convincing customers to patch their systems and finds other ways to protect unpatched customers.


INCIDENT
August 2003: MSBlast echoes across the Web.

RESPONSE
October 2003: Microsoft changes its next Windows XP service pack to focus on security.

August 2003: Microsoft kicks off a "Protect Your PC" campaign.

October 2003: The software maker starts a fund aimed at rewarding people who help locate and prosecute virus writers.


Source: CNET News.com

Some security companies are tentatively hopeful that the XP software fix will bolster security in the average PC.

"It is probably too early to say whether SP2 will meet its promise," said Alfred Huger, senior director of engineering at Symantec, a security company. "That said, it's a great step in the right direction. We still have all the same fears as before, but we are in a better place to deal with them."

Those that install the update will be better protected against MSBlast-type network worms. The security revamp has multiple layers of redundancy that would have stopped MSBlast and the more recent Sasser worm from spreading, Microsoft's Carroll said.

For example, the flaw in the Remote Procedure Call (RPC) component in Windows that allowed MSBlast to spread has now been fixed, she said. Even if it hadn't, SP2 has an automatic update feature that would have installed the Microsoft patch before MSBlast propagated. Then, if a user turned off that update feature, SP2's improved firewall would have blocked the worm. And if the firewall had been turned off, Microsoft has changed the way that Windows XP interacts with such viruses, so that MSBlast's attempts to infect computers would have failed.

"There is a whole cascade of defenses that make the operating system more resilient overall," Carroll said.

Now Microsoft has to persuade consumers and corporate network administrators to apply the SP2 changes. The company has repeatedly learned that customers are less than assiduous about applying updates to their systems. The Slammer worm, which exploited a 6-month-old security hole in Microsoft SQL Server, spread widely because many companies failed to patch the flaw during that half-year.

"This is the most secure version of Windows that we have shipped yet," said Carroll, who issued a plea for customers to apply the patch. "That said, it is not a 'silver bullet,' and we are doing a lot of other things to address security."

Complicating matters, the update could cause problems with corporate homegrown applications, Microsoft has acknowledged. IBM, for one, has told employees to wait for the go-ahead from management before installing the update. To allow companies time to test how the update will affect their users, Microsoft has published a tool to enable businesses to block people from downloading and installing the update.

Giving companies a choice is one of the lessons learned by Microsoft. A handful of major worm and virus attacks in the past three years have taught the software giant that security is not simple. The result is that the company pushes for security on multiple fronts.


Special coverage
'MSBlast' echoes
across the Net

The Internet worm
exploits a widespread
Windows flaw.


The Code Red and Nimda worms led the company to embark on its 10-year Trustworthy Computing initiative, designed to focus Microsoft employees on building better security into products and on improving customer response. The Slammer worm convinced the software giant to stress patching and to find ways to defend systems that are not patched. And the MSBlast worm helped lead Microsoft to create Service Pack 2 and to finance a reward program for informants who help pinpoint virus writers.

Although it is harder to create network worms that can penetrate Windows XP SP2's defenses, it can be done, Symantec's Huger warned.

"It would stop the old MSBlast. I don't know if it would stop a new one," he said. "This isn't the end of the network worm, but it makes more sense (for attackers) to focus on other methods."

Security researchers are already picking apart SP2, looking for flaws. Thor Larholm, a senior security researcher with PivX Solutions, downloaded the software last Friday and continues to analyze it. The true test for the update will likely come in the next few months, once those researchers' efforts bear fruit.

"Give it a few weeks, or a few months, and you will see the first vulnerability announcements regarding Service Pack 2," Larholm said.

14 comments

Join the conversation!
Add your comment
Time increase penalties
Most of these "hackers: are unemployed bums with a small amount of knowlage and virtually no knowlage of the real world .These people destroy other peoples property for no particular reason . It is time to put these people away just like you would burglar or mugger . twenty years with no computer access should do the trick . Oh yes ,fifteen of those years in prison with a guy named Bubba might help too .
Posted by (1 comment )
Reply Link Flag
Following Logic
Assuming that most hackers are indeed unemployed bums, it stands to reason that due in part to their lack of sufficient finances, and their warped view of right/wrong, they are probably also the kind of people who think that all software should be free, the copyright system in America is broken and thus void, and capitalism is bad.

Of course, not all hackers are poor ignorant kids... some are intelligent criminals. Either way, I agree that they should be locked up.
Posted by David Arbogast (1709 comments )
Link Flag
This just kills me
Now comes SP2. This is the most secure and stable OS yet from
Microsoft. Sound familiar? That line has been on every MS
install screen since Win95. When are all you yahoos going to
wake up and use something else? SP2 will be just as buggy as
all its predecessors.
Posted by unixrules (21 comments )
Reply Link Flag
Your comments kill me
A claim of "best system yet" with every release is great. It mean that every system is an improvement over the previous system. Show me a product that does not make these claims, and you will probably find that you are looking into the garbage can.

Something interesting about the article you obviously failed to pick up on... all of those vulnerabilities were patched before the exploit was released. Just as with any other operating system, staying current helps keep you safe. Microsoft fixed their bugs before there was ever a problem. Good work on their part. Infections were caused by user negligence.

Personally, I would rather use a system that has shown continual improvement, year after year, for more years than Linux, the OS prefered by hackers, has even been alive. I also prefer to use a commercial product that keeps myself and my company shielded from intellectual property violation litigation.

You should spend some time researching bugs for real. Get away from slashdot and CNet... check out CERT. You'll probably be surprised when you compare the number of known bugs in Windows to Linux.
Posted by David Arbogast (1709 comments )
Link Flag
Genius, what you recommend?
What OS you use? What you recommend? Windows is 9 of every 10 PCs, so of course that is going to have more vulnaberilities that MacOS or Linux. Only few people try to make worms to MacOS or Linux, because less people are using it.
Posted by audiophile7 (5 comments )
Link Flag
Can't boot anymore after SP2!
I installed SP2. Now I can't boot. It's not like I have nonstandard hardware either. Intel 3.0 GHz CPU with hyperthreading, Intel Motherboard, ATI video card. It even locks up whenI try to boot in "Safe Mode". The last file listed is agp440.sys. Thanks a lot!
Posted by jamesivie (8 comments )
Reply Link Flag
bummer
That's why smart businesses apply patches in a test environment before putting them on production machines. You must have a very rare incompatability problem or something. How much time did you spend researching hardware/software requirements before downloading?
Posted by David Arbogast (1709 comments )
Link Flag
Fixed!
OK. After several hours of reserach, I found the problem. My motherboard (only got it 2 months ago, Intel D865PERL) had a BIOS that was 10 versions out of date. I installed the latest BIOS and it came back up just fine. Whew!
Posted by jamesivie (8 comments )
Link Flag
Didn't you know...
Then it is working perfectly. You can come under a cyber attack if you can't load Windows. At least that is Microsoft thinking. So SP2 disables Windows. After all it is almost one big virus itself. Now your computer and data is safe.

8^)

Robert
Posted by (336 comments )
Link Flag
cant boot
you know youv'ebeen screwed you haven't got the boot
disks
how can you fix it Microsoft sell systems witout the boot
disks
Posted by dwhite25 (23 comments )
Link Flag
Windows will always be vulnerable
Microsoft should redesign Windows from zero. They keep making updates and making changes to the actual structure of Windows, so, new bugs and worms are going to appear. They need to REDESIGN Windows and maybe that way is the way that they are going to stop worms and virus for a while.
Posted by audiophile7 (5 comments )
Reply Link Flag
I agree...
I agree. I also think that Longhorn is going to be close to this, which is part of the reason it is taking so long.

Part of the problem is that they core of Windows is so old and out of date that they just keep slapping basically one coat of makeup after another on an old dead corpse hoping to pass it off as fresh and alive.

Photoshop is the same way. It is way past time that Adobe just bite the bullet and start over so that they can do things like live filters, saving history as an action, etc.

I think the problem is that companies are terrified to do this. They see it as a very expensive nightmare and that is something they don't really want.

I also think that no matter what computer software is always going to have problems. Hell even little cell phones are turning out to be unsecure, we are seeing virii coming out for them now. I also think that Microsoft has some of the buggiest stuff around, but they do seem to be getting better. Security aside Windows XP has been the most reliable version of Windows todate and I expect Longhorn to be better, that is if it ever ships.

Robert
Posted by (336 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.