According to the following article, the slammer virus that hit the world last week is a new class of virus dubbed Warhol. Warhol viruses have the ability to double in size at amazing rates - the SQL slammer virus doubled at the rate of ever 8.5 seconds, and it was properly written, and targeted alternate or additional systems, may have taken the whole internet down in 15 minutes. Here is the article.
Besides this being a massive internet security risk, and the posibility that from now on, many major virus attacks will most likely be of the Warhol variety (and the scary posility that this is the sort of virus you need to take down the internet, and now it’s here), there was an article I recall readng from Robert X Cringley about how begining with Windows 2000 and continuing on with winXP, the operating system is shipped with something called RAW Sockets. There are a number of articles out there explaining why millions upon millions of computer with RAW sockets out there on the internet is a really Bad Idea™ - Unfortunately, I am not exactly versed in explaining RAW Sockets… someone else might though.
Anyway, Robert X explained a theory that if Things on the internet got dicey (like with a worhol worm) Microsoft would use it’s autoupdate feature to essentually change everyone over from TCP/IP and RAW Sockets to some sort of Microsoft TCP/IP™ thus locking up the market for Microsoft, the Savior of the Internet.
I had expected some learned responses by now, so I’ll just make a point or two.
Any widely used network software can be attacked. Take Apache web server, extremely popular. Every now and then an exploit is discovered, eventually an attack is made, etc. Usually doesn’t cause big problems in this case since most Apache admins are responsible enough to keep it updated. Also, it helps in this case that Apache runs under several different OSes. Hard to design an exploit that will work across platforms.
MS OSes, IE, and Outlook are all very widely used. Also run on the same or very similar platforms. Really good targets.
MS also has a very weird blindside on security. I use hotmail and there is no setting for doing such basic security as viewing messages as plain text only (no html or, heaven forbid, javascript). Ditto Outlook. Dumb, dumb, dumb.
Couple their blindside with the overall poor quality of their software. (I would go years without rebooting my old Sun.) Perfect target for jerks.
I read the Cringely column when it came out. Sounded almost paranoid, but when it comes to MS, paranoia is needed. I think the “trusted computing” path is the way they are going. That shuts out a lot of interoperability, forces people to pay per use, forces upgrades to newer stuff to do things we can already do now without it, etc.
Steve Gibson made a big deal about the fact that Windows XP Home would ship with full Berkley socket support (RAW sockets). You can probably still find some of his ranting on www.grc.com. His concern was not with worms as much as with trojan horses, such as the IRC zombie that has been used repeatedly to bring down several big internet sites (including his). RAW sockets make it easier to spoof the IP address, meaning that its harder to figure out where the network traffic is coming from.
I’m not sure how this increases any exposure to internet worms.
To be fair, MSFT issued a security patch that closed this loophole in July last year, followed by not one but two service packs that also would have taken care of the problem (service pack 3 was issued only a few days before the slammer hit) if the admin had updated their software. You gotta update or you are at risk.
MSDE is a little more problematic because you may not realize you have it.
Face it, at best a business decision was made that it’s better to risk a virus than the cost of staying current on updates/service packs, and at worst people are lazy gits and don’t bother. At the end of the day, IMHO more automatic systems will be required to “push” out the updates.
Well, I heard that MSFT’s core operations were fine and fully updated. According to my brother, who is a microserf, MSFT has tens of thousands of employees running beta programs that are unsupported. Those are the ones that were hit, not the ringfenced core operations. YMMV
The issue at my company is that problem management is reactive. Historically most of these exploits on MS platform have had to do with IIS, so that is what gets the attention. Lots of the DBAs don’t even read the security bulletins. That will change now, but SQL Server is not more likely to be exploited again than any other service.
The next big hit will probably be another netbios or rpc exploit or something else thats not receiving a lot of attention but is very commonly deployed…
In reality, raw sockets isn’t a very serious issue. They could be enabled on OSes before XP by a trojan horse program with very little effort, so shipping them by default didn’t make everything less secure. If windows came setup to download and install all patches automatically by DEFAULT, we would have fewer problems.
