David Stone's Blog

I'm open to suggestions for a subtitle here! (Really!)

A .txt file saves the day... (Moral: Let the updates run!)

So yesterday morning I got onto my parent's computer at home to check e-mail before we (Dad and I) left for work. Well, I got done with my e-mail and was about to fire up IE to read the main feed here on weblogs.asp.net when I noticed a little text file on the desktop that was named “YOU.GOT.HACKED.READ.ME.NOW.txt” I asked my 13 year old brother how long that had been there and he said, “Oh yeah, I pointed that out to Mom about a week ago and she said 'Don't bother me with that right now'.”

A week?

I opened the text file which had one line in it saying “the patch is here http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

I noticed that the patch was released almost a month ago and was puzzled because I had set Automatic Updates to run on that machine and had previously instructed my mother in the art of applying the automatic updates once they had downloaded themselves. So I head on over to Windows Update and up turns about 12 items in the “Critical Updates” section...including IE6 SP1. 

The IE6 SP1 that's been out since 9.9.02?

My mother informs me that she had clicked on something that made the little world icon and the balloon go away and stop bugging her. She said it was inconvenient and that she didn't have time to be installing those things and restarting the computer. Also, despite the fact that we had ZoneAlarm installed, my father (normally the computer savvy manager that you would expect in a Chief Technology Officer) had uninstalled it because it wasn't working right.

So I installed all the updates that Windows Update said I needed and patched up everything. I couldn't really do anything about the firewall right then because we were heading out the door, so I just shut down the computer and told mom to turn it off when she wasn't using it.

Turns out that the buffer overrun this hacker exploited to get onto the family computer is the same buffer overrun that Blaster is exploiting. Had I not run the patch yesterday morning (a few hours before Symantec, Microsoft, et al. published news about Blaster), our computer would most likely have been infected and I would have had a major problem on my hands (because I have to fix the computer when it breaks). So, to that hacker, whoever you are, thank you. You've saved me from a big headache and a problem I didn't really need.

The moral of the story is to run your Windows Update...always...forever. There's a reason Microsoft releases these security patches, which I assume cost a lot of money to produce/test/deploy. It's not for their own health, it's for yours.

Posted: Aug 12 2003, 10:27 AM by David Stone | with 4 comment(s)

Comments

Thomas Tomiczek said:

VERY well said. This is also the reason that i LOVE the update service. Maybe not for me as a pro knowing and tracking what is going on, but it is GREAT for the end user.

MS should just make it harder to get "rid" of the updates.


End Users will propably never understand system maintenance - as such, the system HAS to update itself.

NICE example. VERY nice example.
# August 12, 2003 1:58 PM

G. Andrew Duthie said:

This is why, for users like your parents, a standalone hardware router/firewall is a better bet than relying on ZoneAlarm, et. al.

Here's what I would do, were I you:

- Purchase an inexpensive router/firewall from NetGear or Linksys
- Configure the router such that only the ports your parents need are open (I'd also leave open the Terminal Services port so that you can access their computer remotely if necessary...you *do* have XP installed on their machine, right?)
- Set up the router and the OS such that you can access their machine remotely to ensure that the patches are up to date.

Granted, all of the above depend on your willingness to be responsible for their machine, but it seems like they're completely unwilling to be responsible, and if you're going to end up cleaning up the aftermath anyway, you might as well make it easier on yourself by preventing the problems in the first place.

:-)

The other advantage of a setup like this is that it would allow you to turn automatic updates back on if your mom turns them off.
# August 12, 2003 3:32 PM

Martin Spedding said:

I just read your blog entry and you tell a very similar story to the only I have just told in my blog. However, I think the only solution is bolt down the operating system. Computer users are normally passive. It means if you give them a choice they will always take the easy route. So I say bolt everything down. That way they have to take a decision to open something up. If it looks scary they will not do it. I wrote more in my blog:

http://weblogs.asp.net/mspedding
# August 12, 2003 6:35 PM

deano said:

well... I am always amazed by thes estories. As a PC repair teck myself, I have to agree with this to an extent. But most users fail to see the issues that lie behind these updates.

1st) Most people do not realize that the 23 ports MS uses to er... "comunitate" with (i.e. "spy") are what 99% of the exploits are found in. The biggest flow with Windows is DCOM95 - a vital library for providing special networking extentions on windows. DCOM is required for Win to go online. But KS has added so many "back door" that are installed for "you health" that they are the largest source of attacks. Next time you go to windows updat, read what allthe updates are for: internet explorer, outlook, dcom95, and media player.

2nd) Microsoft have taken a poor aproach to the problem at hand. Your security issues on Windows are due to their failed attempts to thwart hackers and PREVENT viruses. Their own plan to make things better has only made things worse. I personally have used (Slackware, Red Hat, and SuSE) Linux for the past 3 tears now and have never had a single compromise on my system nor have I ever seen a virus. And I don;t even have virus software. It is interesting to note that ovewr the past few months, MS has been conducting publically announced studies on the linux kernel in hopes to "learn from experience". Although this is going to be futile if they continue to use their "back door tactics" Everytime you go to browse your hard drive in My Computer, MS is sent detailed info on what you are doint. This is fact. Don't belive me? Open my computer and take a look at the lights on your modem/ network card. :)

Not to hit on MS, but you biggest problem with security in windows is

a) internet explorer
b) outlook express
c) error reporting
d) "automatic" updates
e) the back door extentions in DCOM95

It is sad but true: the very features they have provided you with to ensure your security are most usually the causes for security compromises.

It might also be interesting to note that in Windows 2000 server, MS removes the error reporting, and updates feature for security purposes. But most people don't know this. (I work with Win2k server daily)
# October 3, 2003 11:18 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)