August 17, 2004 12:22 PM PDT

Study: Unpatched PCs compromised in 20 minutes

Don't connect that new PC to the Internet before taking security precautions, researchers at the Internet Storm Center warned Tuesday.

According to the researchers, an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it's compromised by malware, on average. That figure is down from around 40 minutes, the group's estimate in 2003.

The Internet Storm Center, which is part of the SANS Institute, calculated the 20-minute "survival time" by listening on vacant Internet Protocol addresses and timing the frequency of reports received there.

"If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe," the center, which provides research and education on security issues, said in a statement.

The drop from 40 minutes to 20 minutes is worrisome because it means the average "survival time" is not long enough for a user to download the very patches that would protect a PC from Internet threats.

Scott Conti, network operations manager for the University of Massachusetts at Amherst, said he finds the center's data believeable.

"It's a tough problem, and it's getting tougher," Conti said.

One of Conti's administrators tested the center's data recently by placing two unpatched computers on the network. Both were compromised within 20 minutes, he said.

The school is now checking the status of computers before letting them connect to the Internet. If a machine doesn't have the latest patches, it gets quarantined with limited network access until the PC is back up to date.

"We are giving the people the ability to remediate before connecting to the network," Conti said.

The center also said in its analysis that the time it takes for a computer to be compromised will vary widely from network to network.

If the Internet service provider blocks the data channels commonly used by worms to spread, then a PC user will have more time to patch.

"On the other hand, university networks and users of high-speed Internet services are frequently targeted with additional scans from malware like bots," the group stated. "If you are connected to such a network, your 'survival time' will be much smaller."

In a guide to patching a new Windows system, the Internet Storm Center recommends that users turn off Windows file sharing and enable the Internet Connection Firewall. Microsoft's latest security update, Windows XP Service Pack 2, will set such a configuration, but users will have to go online to get the update, opening themselves up to attack.

One problem, experts say, is network administrators' reliance on patching and their assumption that users will quickly patch systems.

Speaking recently at the Microsoft TechEd developer conference in Amsterdam, Microsoft security consultant Fred Baumhardt said the day is likely to come when a virus or worm brings down everything.

"Nobody will have time to detect it," he said. "Nobody will have time to issue patches or virus definitions and get them out there. This shows that patch management is not the be-all and end-all."

Baumhardt stressed the importance of adaptability, using the human immune system as an example: "Imagine if your body said, 'Hmm, I have the flu. I've never had this before, so I'll die.' But that doesn't happen: Your body raises its temperature and so on, to buy time while other mechanisms kick in."

"If the human body did patch management the way (companies do), we'd all be dead."

Matt Loney of ZDNet UK reported from London.

34 comments

Join the conversation!
Add your comment
Microsoft viruses: faster than Dominos
Your PC 0wned in 20 minutes or less or else its FREE Linux!
Posted by (60 comments )
Reply Link Flag
Ya then it just takes 20 days to fingure out Linux
Whatever. Wake me when Linux actually becomes easy to use and admin.
Posted by Jonathan (832 comments )
Link Flag
When Nachi was at its peak this time was 6 seconds
If installing a new box you literally had to turn the firewall on before connecting the network cable. It will be interesting to see if this number changes much over the next year as more people move to SP2 and the number of zombie machines comes down.
Posted by Dachi (797 comments )
Reply Link Flag
Firewalls don't address the root problem
of user ignorance.

You can pile on the latest anti-viral and firewall software on your PC, shut down file-sharing and all the other useless services crammed into windows, but all it takes is one stupid move such as openning an infected attachment - and it's game over.

With over 50 million lines of code in Windows, you can bet that there are a lot of day-zero exploits just waiting to happen.

I don't know which is worse - the bugs we don't know in Windows (because nobody has seen the source code), or the fact that a smart hacker could find a hole in open-source Linux. Hey, it's a tight OS, but I'm sure there are holes in that OS too.
Posted by Tex Murphy PI (165 comments )
Reply Link Flag
RE: Direwalls don't address the root problem
"I don't know which is worse - the bugs we don't know in
Windows (because nobody has seen the source code), or the fact
that a smart hacker could find a hole in open-source Linux. Hey,
it's a tight OS, but I'm sure there are holes in that OS too."

Pretty obvious, I can see the code in OSS, so I have a better
chance of protecting myself. Imagine you are going to a foreign
country that is know for certain sicknesses, you know in advance
so you get certain inoculations before you go. The point being
that yes no one OS is perfect but if you can see everything then
you might have a better chance of survival. Using MS is like
putting all your eggs in one basket and letting your 2 year old
carry it home.
Posted by wrwjpn (113 comments )
Link Flag
who's got Windows source?
The republic of China
Posted by dwhite25 (23 comments )
Link Flag
An interesting addendum
Would be to create a similar chart for Mac OS X and for Linux.
Then c|net could write about that.

Oh wait... a story that might put Apple in a positive light? I
forgot this was c|net! Never mind!
Posted by (1 comment )
Reply Link Flag
Patches and the human body
What a poor misguided piece.
Not one word about the real root of the problem...MS
If the human body had to depend on MS to insure birth I certainly wish Bill G. would be the first nural implant.
Posted by R Me (196 comments )
Reply Link Flag
Duh!
As long as people choose to ignore causes and opt for symptom fighting instead the world will see no end to spam, spyware, zombied PCs, worms and what not.

For years the world has seen a steady increase in attack vectors and still the only answer to all that is symptom fighting. The blaming finger has been pointed to almost anyone and anything: users, administrators, managers, third-party software, developers, vendors, hackers, crackers and even politicians.

Is there any end in sight?

Realisticly speaking no. As long as plenty of people are willing to jump through hoops and see improvement in that then that's exacly the kind of customer demand that will be satisfied. Hey, it keeps the stock holders happy so why change the game plan?

In the mean time alternatives are getting spin doctered because they are not part of the business plan. But then who would expect Ford to recommend BMWs? Or even a Ford driver to admit that he would rather like to drive a BMW but is afraid of having to handle gears?

Lucky enough for us the alternatives are getting harder and harder to ignore though. Also because other stock holders (and tax payers) would like to improve their bottom line.
Posted by arthur-b (31 comments )
Reply Link Flag
A large missing point
Dont you think that there is a large portion here that is being missed though? yes, Viruses can travel networks without opening any file or downloading anything, but what about when you do visit a website and ad-ware or spyware is dropped onto your computer? It can be just as harmful, if not worse. Why? Well, for one, it bugs the crap out of you. Two; it sends your personal data to who knows where to who knows who. Three; it can just as easily compromise your system and turn off your firewalls and virus protections to allow other threats to invade your PC and the other PCs on your network. Until someone decides to make a program that has the best antivirus, firewall, spyware removal and protection, and tips on how to have a safe computer, and it is easily accessible and cheap or free, there is always going to be this problem and it is going to get worse and worse.
Posted by KDoggMDF (25 comments )
Reply Link Flag
Firewall will extend survival time
It's NOT everything you need to secure your machine - but installing a firewall BEFORE you connect the machine to the Internet will significantly lengthen its survival time when you connect it afterwards.

That's why I keep a copy of ZoneAlarm/etc handy in a CD.

by the way - I've seen machines infected in as quick as 5 minutes. At the height of a worm's outbreak, this may fell down further to even seconds.


Thanks,
Harry
Posted by (9 comments )
Reply Link Flag
Close to being accurate
Sufehmi points out importance of using or at least taking advantage of a firewall. Our experience, however, extends this concept to installing new systems, FIRST - Install totally offline, if possible. SECOND - Connect and install to any network on the protected side of an effective dedicated firewall. THIRD - Install and update antivirus software. Lastly - D/L and apply critical updates then add spyware protection.

Critical updates are NOT the first line of defense. That's part of the stratigic package.

The tactical key, we've found, is utilizing a dedicated firewall without exception. While software firewalls can be effective for single users, they simply can't be installed and configured fast enough at the onset to afford the necessary protection. Plus, they slow down even fast machines to the point of making it frustrating for the user.

Further, as has been pointed out, it takes only moments for an 'online' install to become virus infected and/or malware infested - how very true!

Our firewalls? Stripped down Linux and IPChains/IPTables, of course, with some logging and Intrusion Detection. Installed on an older Dell PII-350, for instance, net surfing speed is restored and protection is maximized because of dedicated fast throughput (100BaseT on both the protected and unprotected ports).

The only better protection method is the power switch and a yellow notepad.
Posted by (1 comment )
Link Flag
viruses
useing Windows XP as your OS means you shouldn't be
on the net. Why doesn' t Joe Public catch on
Linux,Unix,BeOS,just about any thing but Windows is
immune hear me, IMMUNE to all Windows viruses.
Posted by dwhite25 (23 comments )
Reply Link Flag
Immune?
First, I'd like to state that I am not against Linux by any means. I've used it, many of my friends use it, and in general, it's an exceptional OS. However, your statement ignores a major fact. Over 90% of PC's connected to the Internet run a Microsoft Operating system. It's a fact...and no amount of griping, education, or outright hounding end-users is going to change that fact.

Linux is not immune to worms or viruses....it's simply a matter of time. Hackers, crackers, worm writers, (and whomever else) are only interested in maximizing their effect. Now tell me, whats the best way to do that. To write a worm that attacks less than 5% of computers connected to the Internet, or a worm that has the potential to infect up to 90% of computers connected to the Internet? --Hm....let me think...

So your statement that Linux and Unix are immune seems rather assinine and naive to me. And lets not forget that there are just not enough applications that run on Linux (at this point) to make it a feasible OS for everyday use by the average person.
Posted by (7 comments )
Link Flag
be carefull what you ask for
be careful, if you get your wish, and all these fine hackers that are pounding on windows everyday turn their attention to Linux, your very own pet operating system will be the one going down in flames. There are no perfect operating systems.
Posted by roadiebob (5 comments )
Link Flag
Correction
Running Windows . My PC doesn' t run windowsso it
wouldn't be compramised at all(the patches wouldn't
work either).
Posted by dwhite25 (23 comments )
Reply Link Flag
An older article...but it's coming...
update Six vulnerabilities in a common code that handles an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.

The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.

And...

The most critical vulnerability crashed two open-source browsers, Evans said. "A scarier possibility is targeted exploitation by e-mailing a nasty PNG to someone who uses a graphical e-mail client to decode" images, he added.

Link to article

<a class="jive-link-external" href="http://news.cbsi.com/Image+flaw+pierces+PC+security/2100-1002_3-5298999.html?tag=cd.hed" target="_newWindow">http://news.cbsi.com/Image+flaw+pierces+PC+security/2100-1002_3-5298999.html?tag=cd.hed</a>
Posted by (7 comments )
Reply Link Flag
already fixed for some
Example: <a class="jive-link-external" href="http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2" target="_newWindow">http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.2</a>

And IE? Has that been fixed already? Or do you have to wait 200+ days again?
Posted by arthur-b (31 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.