August 15, 2003 4:00 AM PDT
Squashing the next worm
'MSBlast' echoes over Net
Worm exploits widespread
Two years after the Code Red and Nimda worms spread across the Internet, home users and many companies still aren't doing enough to secure themselves against Internet threats, said security experts.
"Software is still flawed, people are still not patching, and companies are still not making security a focus," said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. "They didn't after Code Red, they didn't after Nimda, and they didn't after Sapphire/Slammer. Mostly likely, they won't after this worm either."
The criticism comes after the poorly programmed MSBlast worm spread worldwide. Despite numerous flaws in its code, the worm--also known as W32/Blaster and W32.Lovsan--infected more than 330,000 computers running Microsoft Windows. The computers were vulnerable as the result of a month-old flaw their owners had left unpatched.
The same script played out during the Code Red worm epidemics in July and August of 2001, the Nimda worm attack in September 2001 and the Slammer attack this past January. The lack of progress in lessening the effects of such attacks has security experts worried that companies and individuals are making too little headway, if any, in securing their computers.
"This worm shows that, even in a relatively sane scenario, what many are doing doesn't work," said Ted Julian, chief strategist for network-security company Arbor Networks. "We had weeks to prepare, and we aren't able to secure everything."
The statements come six months after the Bush administration released the first version of the United States' National Strategy to Secure Cyberspace, a document which aims to focus the efforts of government agencies and private industry toward defeating digital threats and protecting infrastructure.
Despite the release of the strategy, security on the Internet remains flawed at best. For example, a key piece of infrastructure for millions of Windows users will come under attack starting at 4 a.m. PT when worm-infected computers from the Asia-Pacific region start flooding Microsoft's Windows Update site. As successive time zones reach midnight on Friday, the attack will grow.
Microsoft hasn't detailed what steps it is taking to dodge the attack. However, the software giant is advertising alternative ways to get downloads and information from its site. The company has put more than 10 links on its main Web site to send people to more information and alternative channels for downloading updates.
In addition, the company had changed the Internet addresses to which the domain Windowsupdate.com refers, which likely means that a different network will handle the brunt of the attack. A source familiar with the changes said that the new addresses are on a network isolated from other Microsoft computers, so if the network is bogged down by the attack, the company will suffer no other ill effects.
The company will take steps in the future to better lock down PCs as well, said Jeff Jones, senior director for Microsoft's Trustworthy Computing initiative.
"For add-on security software, we are going to look at erring on the side of security rather than features and settings," Jones said.
The Internet Connection Firewall, a basic piece of software security that comes with Windows XP, will likely be turned on by default in the future, Jones said. He couldn't say when that will happen, however. The switch could occur in the next big update, called service packs, or be held off until a new version of the Windows operating system is released.
Moreover, software makers need to make their applications work better with the security of home computers, rather than bypassing the protections, said Fred Felman, vice president of marketing for computer-security software maker ZoneLabs.
"Application vendors do need to be more responsible about what services they do need to open up," Felman said.
Many times, consumers who have turned on firewalls will turn them off whenever an application doesn't seem to work properly. Often, they forget to turn the firewall back on.
Such basic training is also necessary to raise the level of awareness among home users, perhaps the category of PC user most responsible for vulnerable systems on the Internet. Education has been repeatedly touted as a solution to security woes. However, people still remain ignorant about many of the aspects of security and almost always pick convenience and whiz-bang features over security, Felman said.
"It is all this idea that people have valued productivity over security for a long period of time," Felman said. "We have been making more services and applications available to people (on their computers). As a result of this, we are all more vulnerable."
Microsoft's Jones pointed out that the news regarding MSBlast is not all bad. Considering that the flaw the worm exploits is thought to be the most widespread to date--potentially affecting hundreds of millions of PCs and servers--a Code Red-size epidemic is not that bad.
"The infections are lower (in relation to) the potential for spread of this thing," Jones said. "I think the industry has done a good job of getting the industry message out there. I can only make a personal observation: I'm glad it wasn't worse."