To patch? Or not to patch?
p2pnet.net News:- Few of us will be surprised to hear that the recently announced problem with the way Windows programs display JPEG images has been exploited by virus writers. In the past few days nasty pictures that attempt to infect computers have been distributed by instant messaging and posted to USENET groups.
So far they seem to be prototypes that don’t work properly, but it is only a matter of days before someone writes some code to sit inside an image file and infect other pictures and programs, spreading through email or other channels.
And when it happens, millions of computers will be vulnerable because their users have not installed the latest version of the Windows GDI+ graphics system that is the root of the problem.
Of course the people building the malicious code aren’t being especially clever. Unlike ‘zero day’ exploits, where virus writers discover a problem and get their virus out before any knows about it, the issue here has been exhaustively covered in the press.
The details of the bug are well-known, and there are even ‘toolkits’ for virus writers to use that do all the hard bits.
In fact the virus writers are relying solely on the fact that there are a lot of people online who simply don’t know or care about security, who will not have bothered to patch their Windows computers, and who are perfectly happy to click on links, accept emailed attachments or have online conversations with strangers.
It is hard not to conclude that exposed users deserve what they are going to get. After all, recent research into US computer users by the National Cyber Security Alliance found that one in three believed they had more chance of being struck by lightning than having their computers broken into.
Presumably these are the same people who believe that a guardian angel will come and sort out their hard drive after it’s been trashed by a virus.
On the Internet, however, there are serious consequences if millions of computers get infected. The network slows down, vital data may be damaged, and many of the infected computers will be turned into zombies, used to send spam.
It is, as I’ve said before, socially irresponsible to leave your computer open to attack.
Even though I still believe that people should be more responsible when they connect their computers to the net, I’m starting to develop more sympathy with those who haven’t patched after my own experience at the hands of Microsoft’s Office Update.
I have two Windows computers at home, along with a Linux box and a Unix server sitting on a friend’s network (my daughter has an iBook, so we’re a cross-platform household). One runs Windows 2000, the other XP, and I’ve got Microsoft Office on both so I clearly had to patch my systems.
Unfortunately, before I could apply the security patch I had to install service packs and other bits and pieces to bring my installations completely up to date. None of these was a critical security patch, but I couldn’t proceed without them.
In the process Office Update also patched my copy of FrontPage 2002, the web editing software I use to manage a website I work on. And when I went back to the site to make some changes, it stopped working.
It seems that as part of the patching process, Microsoft had ‘upgraded’ my installation, and some of the active server pages I’d built for this site no longer worked. After some digging around I discovered that Microsoft wanted me to upgrade a lot of other stuff too, in order to bring everything up to the same level.
Fortunately I found an advice forum that told me how to turn the clock back by copying three critical configuration files into the right place, and I only wasted five hours sorting it all out.
As a result of this, I’ll think twice about the next patch I’m asked to install, and I certainly won’t be putting Windows XP SP2 on my box for a while yet.
The problem would be avoided if security patches were just that, and companies didn’t try to sneak upgraded versions out by bundling them with critical fixes, but that doesn’t seem to be the way Microsoft thinks.
As a fair and balanced journalist, I would like to point out that this isn’t all Microsoft’s fault, and that other systems have vulnerabilities too.
The only problem is that much of it is Microsoft’s fault, because they built their operating systems on top of a woefully inadequate model of computer security that was superseded twenty years ago in serious computing circles, and they have put ease of use before security in almost every product they have released.
MacOS X and Unix/Linux don’t have so many problems because the central security features are better and applications respect the security model more. It’s that simple.
I was criticised by many readers for my suggestion, a few weeks ago, that Internet Service Providers should check whether customers’ computers were properly secured before they allowed them to connect to the wider net. Some people assumed that this would mean only Windows machines could connect, which was certainly not my intention.
Many argued that they should be allowed to determine what programs run on ‘their’ computer, and that attempts to limit their freedom were unacceptable.
It’s a nice argument, but not very convincing. First, they can only run the programs that their operating system supports, written for the processor they have, so the freedom is already limited – why not accept that their ISP has some influence too?
Second, we should resist letting the selfish individualism that has done so much damage to our wider society wreak even more havoc on the net. Connecting to the Internet is a social act, one that carries with it obligations – including an obligation to run a secure system.
Microsoft may make it hard to fulfil this obligation, but that is no reason to disregard it. And despite the mess they made of my website, I’ll still get the next security patch that comes my way from Windows Update.
Bill Thompson – andfinally.com
October 9th, 2004 at 9:51 pm
The whole rhetoric about security being more important than
the liberty to choose what you can run on your computer is flawed.
Once you open the door for ISP to police their network
you are inviting them to control the access of their users.
And since they CAN police it, it means they can be legally forced to do it.
So what if ISPs decide that it is a security risk to visit p2pnet?
Or what if a court rules that they must block Morpheus from running on computers in their network?
Oh, and while you’re at it, why not block websites that make the government look bad.
Farfetched?
What is difficult to believe is that you can devise a way to detect
“unsecure” computers.
If you cannot objectively determine that, you have to be subjective.
Which means some guy somewhere decides what must be blocked.
October 9th, 2004 at 10:12 pm
Get ‘firefox’ It’s very easy to use, has a great ad blocker, then you don’t have to worry about patch of the week
October 10th, 2004 at 1:36 pm
an ISP should SECURE their network,
NOT “police” it.
It should be their responsibility to block email bourne viruses and spam. But not to start policing file sharers, etc.
October 10th, 2004 at 4:37 pm
You’re absolutely right.
Now this really worries me … in the UK the Defense Procurement Agency plan on using win2k for running the computer systems.
WHY WHY WHY!!!!!
I doubt ANYONE who knows ANYTHING about Windows or ‘nix can’t belive this.
It’s gotta be untrue or VERY, VERY STOOPID !!!!
The BBC had a piece on it the other day on the news … can’t find any info on their website though!!
http://www.theregister.co.uk/2004/09/06/ams_goes_windows_for_warships/
October 11th, 2004 at 6:50 am
HOW?
How can you secure without policing?
What ISPs do now is block ports, like smtp(25) and http(80).
That prevents you from running servers at these ports.
Effective? No.
Does it help with security?
Yes, for those that do not know they have servers running there.
That is however more a problem of the operationg system enabling
certains (unneeded) services by default or malicious applications.
BTW malicious applications will find a way somehow if the user is not
paying attention and running any programs without some verification.
Does it prevent legitimate use of servers on that port?
Yes, for those who want to run services at these ports.
Whould that imply some risks?
Of course, but that is true of every service offered over the internet.
If you want complete security, there is a button on all computers
that provide complete invulnerability to all attacks.
The off button.
October 11th, 2004 at 7:11 am
Because Microsoft is giving it to them.
Really.
Microsoft practically gives software away to convince others that it is worth using.
There was some pieces about this on p2pnet some time ago…
Off the top of my googling there’s this:
False ads in the uk
http://p2pnet.net/story/2249
Can’t find a better one, but threatening to go linux is being used to
get better prices from Microsoft, who then say they are better.
http://arstechnica.com/news.ars/post/20040611-3874.html