Internet security helped by Code Red

Any gardener will tell you worms are good for the soil. Security researchers are now finding that the creatures' digital namesakes might be good for security.

In its monthly report released earlier this week, Internet survey firm Netcraft found that Web servers running Microsoft's software have become much more secure in the wake of the Code Red worm attack.

The results mirror another survey released in early August by the Cooperative Association for Internet Data Analysis, a research center based at the University of California at San Diego.

"Code Red got a lot of publicity," said David Moore, a senior researcher with CAIDA. "It got a lot of people recognizing that patching servers is a problem."

In mid-July, the Code Red worm used a recently discovered vulnerability in Microsoft's flagship Internet Information Server software to spread across the Internet, hopping from server to server.

Despite having five weeks--the period from the announcement of the flaw to the emergence of Code Red--to patch holes in vulnerable servers, system administrators waited until an actual security threat emerged to patch their systems, Moore said.

The Netcraft survey came to a similar conclusion.

"The high visibility of Code Red induced many e-commerce sites running Microsoft IIS to patch their systems for the first time," the company stated in the survey.

Netcraft found that in scanning a few hundred systems each month for 10 different security lapses, the incidence of eight of the vulnerabilities decreased at the end of July and plummeted further by the end of August. The increase in general security could be attributed to Microsoft's release of a cumulative patch to take care of a variety of vulnerabilities, stated the report.

"The combination of the Code Red worm and the first cumulative patch for Microsoft IIS has significantly improved the security of Microsoft IIS systems on the Internet," it concluded.

The study did take system administrators and their managers to task for a "deep-set complacency regarding security" and acknowledged the "difficulties in maintaining a reasonable level of security without the benefit of regular external testing." (Netcraft does just such testing.)

Scott Culp, Microsoft's security program manager, believes the software giant's new focus on making patches easier to apply and more comprehensive will lead to better security as well.

"System administrators are busy folks," he said. "Most companies don't have the resources to have a dedicated security staff. In most cases, the slowness to patch is a case of resources and priorities."

CAIDA's Moore isn't so sure.

According to the group's study, system administrators squandered the downtime after Code Red's first attack, when the worm went into a 10-day lull. They didn't start applying patches in earnest until the worm started spreading a second time.

Unless people learn from the experience, the next worm might be worse, denying system administrators any grace period to make fixes.

"If we say, 'We know it's going to happen,' and we can't even stop it--then that worries me," Moore said.