Advertisement
Promo

Become a member of the ZDNet UK community

Comment Articles

Serious admins don't ignore security patches

Scorp

Published: 28 Aug 2003 14:49 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Between the twin-threat events of this month -- the power blackout in the North American East and the latest worm (news of which seemed to hit everywhere but The Jerry Springer Show) -- it was an interesting time to be in charge of electronic information flow (mileage may vary according to one's personal geography).

The moving finger points…
As far as the blackout went, Republicans blamed Democrats for balking at the President's energy plan, Democrats blamed Republicans for including "unconscionable" energy policies in that plan, and Canadians blamed all Americans without regard to political bent. THAT debate will be ongoing for some time to come, unlike the clarity associated with placing responsibility for the MSBlast worm. Clearly, it was ALL Microsoft's fault, that one...

...until you look at the facts. Looking at the facts usually changes everything, except peoples' minds.

…and having pointed, wags
Somewhere around the end of last June, a team of Polish software experimenters calling themselves the "Last Stage of Delirium Research Group" found and demonstrated a really big hole in the RPC implementation of DCOM services. They got in touch with Microsoft and coordinated a joint news release, along with a nice new patch for the hole.

In a week, only 40 million patches had been downloaded. Also in a week, real live code to exploit the RPC hole was posted on the Web. The countdown began, and in a week, there were reports of unexplained shutdowns and other wobbly behaviour. In another week, the worm was found, isolated, and dissected by the F-Secure Group in Finland. Over the next two to three days, things really got interesting in Internet forums. Once again, the IT biz had made the six o'clock news and people were experiencing machine shutdowns at home and at work. It was getting personal.

The bare-bone facts are these:

  • A major security hole was found and reported to Microsoft.
  • In short order, the news was spread, without referencing the specifics of how to exploit it, and a patch was published.
  • A small percentage of systems were patched.
  • Someone figured out how to exploit it and published the code.
  • Someone else (unknown at this time) used that same code as the base to insert a worm as a carrier for a time-bomb DoS attack through the RPC hole.
  • A side effect of the RPC exploit was to cause system shutdowns (pure sloppiness; done right, it should have left no trace of its presence).
  • Soon, and in time for patches to be emplaced before the DoS attack was to execute, a major media blitz occurred, giving everyone notice.
  • Patched or not, everybody blamed Microsoft for carelessness.
  • The DoS attack never happened, partly through an inaccuracy in the code; the URL was faulty, and Microsoft shut down the target URL anyway.
  • Everyone continues to blame Microsoft.

Next

Previous

1 2 3


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
23 out of 45 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

2 comments

  1. True. I hardly ever comment on forums, but patchi... Anonymous
  2. People don't let strangers through the door, but u... Anonymous

Related Links

Company/Topic Alerts

Create a new alert from the list below:




Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters