Windows Update will include worm removal tools. Not that helpful

Internetnews.com reports that Microsoft is working on a new feature for Windows Update which will remove all worms from your system. It's slated for release at the end of the year. Personally I find every initiative to offer a service for customers to fix their systems a good one. However will this particular initiative be a good one?

In theory it might sound great: you visit Windows Update, the site scans your system for worms and other nasties and removes them for you. Wait... visit Windows Update... but if you do that, you will get the patches already, narrowing the attack window for worms. Most people who are currently suffering from Sasser haven't visited the Windows Update in quite a while, the patch was released on April 13th. If you're one of them, you're in good company: yesterday my newspaper, NRC Handelsblad, arrived very late because they had a computer network breakdown due to Sasser. After almost a month the system administrators at PCM (owner of NRC) didn't patch the computers, nor did they protect their network for worms and other crap arriving from the Internet.

Besides the point of the necessity to visit Windows Update, this feature falls into the same trap as a lot of copy protection schemes fall into: when you disable the check code, the code called by the check code is useless. Windows Update uses ActiveX controls (COM components) to perform the checks on your system. ActiveX components which are ran by Internet Explorer. IE contains a protection for malicious ActiveX components: if the 'kill bit' is set to 1, the ActiveX component will not be loaded nor ran. The kill bit is a registry value for each ActiveX component that is set to be able to run inside IE. You can use this for example to disable Macromedia Flash to run in IE. Read this KB article for details about the kill bit. What will likely be the first thing a worm will do when it enters a vulnerable system? That's right, set the kill bit for all the Windows Update ActiveX controls.

Now, to avoid this, IE has to be told via hard-coded GUID's that a set of controls with those given GUIDs always have to be ran, no matter what the kill bit says. However, this can lead to security holes as well (overwrite a registry entry where to find a given COM dll for a given GUID and you're set). With a simple registry entry, the worm can disable this new removal feature completely.

As I mentioned earlier, every initiative to protect customers and to fix infected systems has to be supported. I find it however sad to see how such an initiative is promoted as something which will help customers but in practise will probably not help anyone because it is easily disabled or circumvented.

The only thing which I think will help is to block any incoming request on any TCP port unless the user has enabled it explicitly and with that action suggests s/he knows what s/he's doing. I hope with the SP2 for XP a lot of the worms can be avoided. SP2 is slated for release later this year. However the firewall is available in XP today. Perhaps it's a good idea to release a fix now which enables the firewall on every TCP connection and disables the TCP/IP Netbios helper service if the system is not part of a domain. Users are not aware of the firewall in XP, nor are they able to find the setting somewhere on a properties tab. Releasing a fix now which will turn on the firewall will also require windows update, however it will be much smaller in size than the complete SP2.

Oh, and although it will cost a lot of money, it might be wise to distribute the SP2 on free CD's which are available with magazines and in supermarkets and gas-stations. Then, people with a modem connection to the Internet will also be able to install the service pack as well as the people who will never visit windows update because they don't know where it's for.

4 Comments

  • Enabling the firewall by default? That's not going to work either Frans... Unfortunately, most of the populace don't know that much about computers, even those working at computer helpdesks. Disabling all communication unless specifically enabled will lead to the following (already quite common) scenario:

    1.) User cannot use program X because it communicates over the Internet

    2.) User calls computer helpdesk

    3.) Helpdesk asks: is your firewall enabled?

    4.) User responds: What's a firewall?

    5.) Helpdesk says: go to Control Panel -> network connections. Right click your Internet connection. Choose Properties. Go to the Advanced tab. Do you see a green "v" in the checkbox?

    6.) User responds: Yes, is that my firewall? (Smart cookie this one :))

    7.) Helpdesk responds: Yes it is. Now please disable it, restart your computer and try running program X again.

    8.) User responds: Yes! It works! Now why did that stupid Microsoft enable that stupid firewall? Who needs a firewall anyway!?



    No, human stupidity will never fail to make matters worse... Recently, I heard another suggestion: make Windows run in 3 modes: n00b, moderate and advanced. In n00b mode, you cannot run as Administrator (their goes WinAmp :( ) and Windows Update is set to automatically download and install. Will this work? No. How many people will admit they should run in this mode? Not that many, I'm afraid. Plus, the fact that programs such as WinAmp require you to run as Administrator only make it worse...



    And a recent Dutch research in what people think about virusses and who's responsible for preventing them, a whopping 80% responded that either the government or the ISP is! So what should we do? Scan all network traffic you generate? If your ISP detects you're sending an e-mail with a virus attached to it, you'll be banned from sending email. If your machine is scanning for known vulnerabilities on other machines, your Internet connection is disabled. If your machine participates in a DDoS, your Internet connection is disabled. That's your ISP taking responsibility for your inaction. Now how would the general populace feel about that?

  • 80% claimed that? I almost find that hard to believe! But when I see how stupid people can be around computers, it seems likely again.



    I say, go ahead. I read yesterday KPN had 90% of all ADSL subscribtions under control. Move those 80% into KPN and the other 20% into another ISP. I've got Demon, so I'm good! ;)



    Then let KPN filter the traffic inside their network, so it won't affect the speed of OUR downloads. Then we've began to build a perfect world, from my point of view! ;)



    I'm running without virus scanners for years now and never had any problems. The last time was when I took some disks from a friend at school with me.

  • Wolfgang, every program which requires an external connection from an external machine to yours, originating from that external machine, is bad and should be banned. A good firewall would block all incoming connections but can allow all outgoing connections. That's the default for XP's firewall anyway. No normal program requires an incoming connection, only server applications do. I'd say: if you know what you're doing, and setting up a webserver requires some kind of knowledge ;), you can also enable the port in the firewall. For the rest, a normal PC which is only attached to the internet doesn't need incoming connections.



    Dennis: isn't demon just reselling kpn's adsl? ;)

  • The average user isn't technical savvy enough to host online games, trust me.



    Worms via email, ok, these can be hostile. However worms ala sasser and msblaster and other nasties which will emerge in the future will not be able to infiltrate a system, now they can, every windows box without port filtering or firewall has port 137-139 open to the internet, for no reason.

Comments have been disabled for this content.