The Conficker worm, which spreads by infecting Windows computers who are not properly kept up-to-date, was supposed to make a big splash on April 1, but that day passed with a deafening silence on the Conficker front. Since then, there has been some movement by the worm, and data gathered from enterprise users of Sophos’ Endpoint Assessment Test indicates that 10% of Windows machines have still not been properly patched, leaving them wide open to a Conficker infection.
Last week, the botnet created by Conficker machines started to update itself through the built-in peer-to-peer update mechanism. The latest variant, Conficker.e, now downloads a rogue anti-spyware application called SpywareProtect2009, and asks users if they want to clean their system for a price of USD 49.95. In fact, it will only remove fictional components, leaving the real malware intact. This new variant is scheduled to function until May 3.
The Sophos Endpoint Assessment Test is a free online test which checks if you have all the latest patches and service packs installed, whether or not you’re running a firewall and antivirus software, and if those are all up-to-date and running. If you take the results from this test from just March of this year, 10% of the people using this test had not installed the now six-months-old security patch from Microsoft that prevents the Conficker worm from infecting Windows machines. This patch was released well before Conficker got out in the wild.
It is literally appalling to see so many computers out there who have not been properly kept up-to-date. I can understand problems home users might have with this – up to a point – but seeing so many professional institutions with IT staffs getting infected by Conficker just shows how utterly incompetent these so-called “IT-pros” really are. There is only so much stupidity and laziness you can counter with updating mechanisms and prompt patching.
If I were responsible for one of these infected networks at important organisations – the UK Royal Army, the German Bundeswehr, and others – I’d seriously reconsider my employment status.
I had a look on the Sophos website and it appears that the patch to protect Windows was released October 23rd, 2008. The question is – at what point does this blaming Microsoft start to become ridiculous? The update has been out and yet there are people who don’t install updates even though installing updates should be one of the very first skills one learns when they get their computer. Blaming Microsoft is easy because it is the old story of blaming the faceless multinational – but the reality is that people have chosen not to learn even the most basic of things.
With that being said, I also blame many of the so-called ‘IT guru’s’ that advise people on what to do; I couldn’t believe one person who said to a family member not to worry about installing Service Pack 2 for Windows or any of the updates. Alot of what I see are people who purchase computers, they have a family member who appears to know something about computers – and gives them all the wrong advice.
Getting back ontopic, I guess it is one of those things that are unavoidable; software is written by humans, humans make mistakes, therefore, software needs updates. The best I guess Microsoft can do is default to auto-install critical updates and pray that the end user doesn’t fiddle with the setting.
Edited 2009-04-14 15:30 UTC
This sort of upgrades, critical upgrades, should be automatic and without user intervention. In other words, it should be pushed down the throat (at least after certain period of testing).
Nah, I’d rather not see someone without my admin password capable of installing random **** on my system under the guise of an important update. I’d be much more apt to say ISPs need to start sandboxing or outright kicking unpatched machines off their network or better yet, holding end users criminally liable for any damage caused by their machines due to negligence.
End users are not responsible for defective software and malware development. You talk like a Microsoft’s person, putting all that crap in the shoulders of users. Users are victims, and they shouldn’t know how to fix they computers (which they didn’t broke). It’s Microsoft’s fault if their OS is crap, and ISP’s fault if they don’t block shit comming through their lines (guess what, they do filter torrents).
No this doesn’t make any sense. You buy a device, you are expected to maintain it. Doing software updates is part of the day to day life of a computer user, be it windows, mac, or linux. That’s like saying you should buy a car and never have to put gas in it or change the oil, it should do it by itself? See? It makes no sense. Whenever somebody purchases a product, there are some constraints that have to be met, in the case of a car you need to fill the tank and change the oil, tires, etc. With a computer you need to do updates.
You cannot compare software with a car. This kind of analogies don’t work. If you want to do the *-car analogy, then if your car is defective by design you have rights to sue and get your money back or a better/well designed car. Doesn’t happen with software.
Still, if your car starts to missbehave, you don’t actually fix it yourself, but send it to the mechanic. Now if we talk about software that would mean you should take your computer with the technician whenever a bug pops up. That’s stupid. Ask most people and they don’t even know what a bug is in software terms. You are certainly not to expect anyone to patch his own computer. That should be fully automatic. At least with critical updates. Car analogies don’t work because the car itself can’t changes his own physical parts, but I’m sure there are cars with digital equipment that can autoupdate their firmware as needed. In fact, it’s most certain that your cablemodem/dsl modem autoupdates itself whenever the ISP thinks it’s needed, and they surely don’t ask you to do it manually or ask for your permission.
But the analogy works when you consider updating as a regular maintenance task which is what it is. It is *exactly* like having to change oil, tires, etc, these are all part of regular maintenance of your device.
Updating is needed because of defective parts in the software. You can’t really map it to car fuel, which would be much like electricity to the hardware. Updating would be more like updating your car’s microcomputer firmware. Imagine how you would feel if you had to manually patch the firmware all the time. Wouldn’t you say “this car sucks”?
Maybe, maybe not. But I damn sure wouldn’t argue that it’s my responsibility to take action on public safety issues with my property… That’s precisely what these vulnerabilities are btw, public safety issues to the internet and if the end user can’t be bothered to get off their ass and patch their systems in a reasonable amount of time then you’re goddamn skippy I want to see them held 100% accountable when some three month old exploit causes their system to DDoS something.
If you can’t be bothered to educate yourself on the use of something to at least a basic level you have zero business having it in the first place.
Doing it once is ok, but all the time and you’ll end dumping the car for another with less defects. Why people can’t do that with their OS?
They can’t be held accountable if it’s not their fault that vulnerability is in there. It’s not their software, they only acquired the right to use it, but the software belongs to a company, which is responsible for maintaining it. That most people don’t know about what a vulnerability is should also tell you there’s something wrong in Microsoft not pushing upgrades automatically.
They already know the basic levels. Patching is not in a basic level. Of course, Microsoft will always say it’s users fault, like always. All companies do that and in the end they wash their hands. That people is stupid, I grant it. But companies must not use that to make their lives easier and spend less money than they should.
You must be aware that all OS’s need updates. If you are not, then you are either insane or a rabid anti-ms zealot. A sample list I used in an earlier post:
List of recent security updates for Debian Stable:
http://www.debian.org/security/
Fedora 8:
https://admin.fedoraproject.org/updates/
OS X:
http://support.apple.com/kb/HT1222
FreeBSD:
http://www.freebsd.org/security/advisories.html
Windows:
http://www.microsoft.com/protect/computer/updates/bulletins/default…..
As you can see, all OS’s need updates, all software has bugs, and to blame MS for people being retarded and not patching their systems is just rampant fanboyism, or something worse.
Edited 2009-04-14 16:34 UTC
Excuse me, but my FreeBSD, unpatched and all as it may be is more secure by default than any Microsoft ever made OS. That’s the true. Now I wouldn’t blame all of it in Microsoft. I know software has bugs and it will ever have bugs. But as they control a big peace of market it makes even more sense that they care much more about patching than us *insert alternative OS* users. They are the ones providing defective software (much more defective than other OS if you dare), so they should take care of patching. What the hell a normal user knows or care about patching? They surely know about browsing and writing mails, but they couldn’t care shit about patching Windows. That’s why patching critical bugs should be automatic.
No fanboyism here, whatever you may be thinking. Not because I use another OS it means I’m trolling. Perhaps someone touches your beloved Microsoft and you feel touched too?
Actually, I use Debian and FreeBSD on most of my computers at home, and support Windows (and Novell, ugh) servers and desktops at work.
I use this experience in multiple operating systems to arrive at my conclusion based on common sense, and the amount of updates my machines get on a regular basis.
Windows is generally more at risk to virus’s and worms because up until Vista, most users run as unrestricted administrators. I have never ran any version of Windows NT as an admin, and I have never caught a virus. It’s common sense.
But if you running your computer as an admin, and not applying security patches, it doesn’t matter what you run, Windows, BSD, Linux, you’re an idiot and deserve to be pwned
Whatever… My Debian box not being patched at least will not become part of a botnet to send SPAM or God knows what else. Kaiwai’s Macbook not being patched with the fix for the latest 0-day exploit for Mac will not make it part of a huge botnet, etc.
It is about damn time you people stop making excuses and acknowledge that Windows is a fu%$&*# piece of s$%t and that the thing needs to be fixed once and for all for the good of everybody… MS has the resources: FIX IT!
Yes, some people are to blame for not applying patches but certain holes should not be there in the first place…
How do you know? The only reason your unpatched debian box will not become part of a botnet is because the total amount of linux desktop users is so small to make it uneconomical for spammers to use it. I posted the links for the different update pages, if you’re to lazy to read them and realize that all OS’s have buffer overflows, bugs and holes, then too bad for you.
When Linux get’s a little more popular, we’ll see then who’s box lasts the longest, your unpatched debian box, or my fully patched debian box. Oh, and kaiwai is smart enough to patch his OS X install, so I guess that attempt at name dropping didn’t get you very far. If you read his first post in this thread, he doesn’t agree with you.
They did fix it, in October! Look at those friggin’ links, you’ll see that all the major desktop operating systems have holes, and they are fixed. This is not MS’s fault, they did their job.
10% of all windows users, apparently, what’s that? 20,000,000 (I have no idea the real number) machines? They are all are to blame for conficker, everyone. If they kept their machines patched, then it wouldn’t have been able to infect any machines, and would have died out. Stop blaming MS for users stupidity, there is more than enough to blame them for, this worm is not one of those things.
This problem with conficker was fixed in october, for gods sake. Oh, but it’s MS’s fault. Yeah right, whatever.
Edited 2009-04-14 20:33 UTC
No, no, no… I cannot agree to this assertion at all. There was a time when Linux distros would ship with lots of services turned on, daemons that were listening for connections from the internet by default and stuff like that but that has been rectified a long time ago. Besides, Linux desktops maybe a smaller target than the huge number than Windows morons out there but there are plenty of Linux servers that, given the chance of them being rooted, would make for a far more attractive target for crackers.
You were reading too much in what I said: I didn’t mean to imply that Kaiwai’s box is unpatched. I think that most OSAlert visitors should know better than that. What I meant is that, even if it were, chances that it would become part of a huge botnet would be negligible given that it is not Windows.
Every operating system has holes, you will not see an argument from me there. However, I’d argue that the severity of Windows systems are far higher than the typical hole found on most other operating system these days. It seems as if any hole on MS OSes will let an attacker drive the machine to do anything, no matter what.
Hey, track record says that another Conficker will show up sooner or later. Is it MS fault? Perhaps not… But it is disgusting to see each and every Windows hole out there being blamed solely on the user. But that’s me.
except those servers are run by (I hope) professionals, who know how to harden a linux server, and keep their network clean. Does your grandma know how to configure selinux? how about SSH to disable root logins?
Windows has also lessened it’s attack surface, and decreased the amount of services running at install time. IE 7 and 8 are miles above IE 6 security wise. All operating systems move forward, even Windows, it would take a fool not to recognize that Windows XP Sp2 and Vista are not Windows 98. A fool, or perhaps somebody living under a rock.
I’m not blaming the hole on the user, I’m blaming the 10% of all windows machines on the users. The blame for the hole lies with fallible, imperfect programmers. As I’ve stated, all OS’s have holes, but Windows has automatic update. If a Windows box is not being updated, there is only one entity to blame, the person who turned off automatic updates. This isn’t a 0-day attack, the fix has been available for almost 6 MONTHS, and was distributed via Automatic updates.
What else do you want? Perhaps a medal for all the idiots who’s systems are infected with conficker? Poor users, they are at the mercy of big bad MS, poor dumb bastards.
Except in this case, MS did their job 6 months ago.
A lot of the machines have already been said to be located outside of North America. We can afford to spend a day or so’s pay on an operating system and still have money left over. However, in third world countries (that makes up a large percentage of the conficker infections) they can’t spend a month’s, or more, pay on an operating system – they then pirate it. So, what Microsoft did to “help piracy” is reject these PCs that came in for security updates. So while you can view it as not being Microsoft’s ‘fault’ they still did have a play in the numbers getting up there.
Luckily there hasn’t been an issue that affects all internet users (yet), but what happens if there is? While Microsoft is pointing fingers at these ‘pirates’, Microsoft did have a role in causing such a large botnet.
Huh? You really have no clue to what your talking about. Even pirated versions that fail WGA can still get security patches, the user just can not download the latest Media Player 10 or whatever.
Not exactly true. Yes, you can get security patches if your WGA fails. However, you have to go in and get them manually. Automatic update requests will be rejected and will place a notification on the system’s tray to that effect.
This is a semi-valid point. All OS’s need updates, indeed. True and correct.
With Windows, the problem is that the updates are binary blobs, trade secrets, and you (or anyone else who is not Microsoft) are not allowed to vet what they contain. In the past Microsoft have used updates to push software on to users machines that is NOT in the best interests of said users. WGA is a perfect example of this.
With Debian, the updates are open source, people other than those who wrote the software, and who use the subject software themselves, are able to, and do, vet that source code. End users also have an assurance that the source code changes that are visible to everyone do in fact compile into the binary updates that they dowbnload. That update system therefore has auditability, and an assurance of integrity that the updates are written in the best interests of people who use the system. The track record of said updates attests to this integrity.
Edited 2009-04-15 01:00 UTC
If you buy a car in the U.S.A. and there is a recall, you’ll receive a notice but it’s up to you to have the car repaired free of charge. You must make the appointment and go to have the work done.
It would be nice if everything was perfect but it isn’t. If you don’t do anything to maintain what you have, you can blame yourself first.
Only if the machine is configured to automatically set a restore point before the update is installed. I’ve seen way too many updates hose an OS to let it automatically install without a restore point.
Cant be certain about earlier versions of windows, but I know in Vista it does create an restore point before an update is installed.
Edited 2009-04-15 03:53 UTC
Read: “[…] should be the very first skills one learns when they get their ‘Windows’ PC.” But I do agree: Doing the updates is a very important skill. But the problem is: “Windows” users see theirselves as users, not as administrators, and they believe that “Windows” administrates itself, so they simply don’t care (TM).
I don’t know how about other countries, but here in Germany, people *refuse* to learn anything. “The computer should know what to do.” is a typical statement. So if problems occur, they are left to others, or “cured” by a new install.
That’s something I already could see. The problem you’re mentioning is that these “IT Gurus” are exactly as clueless as the ones they give advices to. “Service pack? No, you don’t need this.” (read: “I don’t know what it is.”)
Updates with a certain severity should be forced updates. The user would (of course like with every maintenance operation at his system) give his password (if any) to authorize the update. A message should inform him briefly (so not to scare him) what the update will do and why is is absolutely neccessary. I don’t think it’s a problem to do so, the typical “Windows” user will click on every OK button just to see the dancing elephants, so he would do so if the system tells him to do so. Those who are more advanced users will surely pay more attention, but this is the group of users who will install service packs and updates anyway, so they won’t have any problem at all.
Passwords are useless for updates. Encryption and digital signatures are the way to allow updates from Microsoft to come and install automagically without even asking. Now I wouldn’t allow this sort of behavior in a *nix server, but it seems the Microsoft world is in big need of this exact methodology, so Microsoft should, for the interest of all of us, patch critical bugs without asking. After all, the bots network is ever increasing and the cost of maintaning all the spam flowing through internet is upon us, the consumers. We pay excesive ISP prices, expensive and useless antivirus/antispam/antispyware. Well not me actually, but you get the point.
Forgive me my ignorance, but I haven’t used any “Windows” yet, so my knowledge is very limited, and I’m sticking to universal and standardized principles when formulating my opinion.
I always assumed that most “Windows” versions feature a kind of security mechanism that prompts the user for a password – I think it’s called the Administrator password – when some software tries to install itself on the system, and this operation requires the elevation of rights and permissions. This is needed if the user doesn’t run in “Administrator mode”. (Of course, if the user always runs as “Administrator” and has no password set, no interaction would be required for authorisation, I assume.)
This is what I referred to with “giving a password”.
This would of course give the user a feeling of security – he doesn’t need to fear that somethin unauthorized will be installed on his system. If this obsoletes the need of interaction – yes, much better.
That’s what I think, too. Maybe it sounds impolite, but those who run UNIX systems (with critical stuff on it) are usually smart enough to care for their updates theirselves. The average home user often even doesn’t know about the neccessarity of updates, just wondering why his Internet is so slow (which is explainable when he’s got some illegal file sharing hosts, spammers, scammers and who know what else running on his system without any knowledge.)
I can understand that when abusing a “Windows” PC for data espionage, spamming and automated “follow-up PC detection” is made so easy by *not* installing the neccessary updates, it may be okay to blame the clueless home PC users. It’s not that PCs are easy. No, they require a minimum knowledge. It’s like driving a car. It’s not *that* hard to learn it, but you *have* to learn it first (handle the car, know trafic signs and rules).
The user of a PC that is connected to a network (here: the Internet) has a certain individual responsibility. If he can’t take it, he shouldn’t own a PC. To avoid this implication on the market, the manufacturer of the PC’s operating system should take the resonsibility (because he wants to sell his OS, as well as the PC vendor wants to sell his hardware along with the OS). By the means of advertising, the user has been convinced that everything works “by magic”, he doesn’t have to know anything, he may just go there and clickityclick. And now it’s possible to turn the argumentation around again: If the OS’s manufacturer made the user believe in such things, it’s his responsibility again to make sure that it “just works” as he told in his advertisements.
The downside of this “responsibility ping pong” is that nothing will change in the future, because every side can deny its own responsibility and blame the other side.
As you mentioned, an automated solution without interaction would be best. For advanced users, there could be some kind of “expert mode” that gives more informations, but leaves more decisions to the user. This mode shouldn’t be default; in fact, it should be hidden so that only those who are smart enough to do “expert stuff” should be able to find it.
And I completely agree with you.
I’m sure you know common downsides of the missing updates: More than 90% of the mail transferred worldwide is spam. And most MTAs don’t accept mail from dynamic IPs. In the past, this was no problem, but today, you need masquerading, mail relays, those have spam filters again, blah blah… you know.
I would mostly agree, except that most people I know really doesn’t know how to use a computer. Should I prevent them access to it? I’m sure most of them manage to browse for information, chat, watch video, etc. They don’t need a degree to use it in a basic form. Why should they know about securing an OS? Why would they even care about it?
Well, it’s certainly the manufacturer’s responsibility to fix their shit. Look, I own a cellphone, as many people do. I *really* don’t know shit about cellphones. I do know much more about *nix and other computer stuff, but I barely know about cellphones bar using it. Imagine a new virus starts spreading through the cell network infesting all devices. Is it my responsibility to patch my own phone? Shouldn’t the manufacturer release the patch and the phone company send the patch to make the phone secure? It’s the same with computers.
Yeah, I so much would like to run my own mail server with my own rules, but my ISP blocks port 25 and I don’t really want to spend money on a relay.
One problem with making updates be free of user interaction. Given that a good number of critical updates require Windows to be restarted, do you want your computer restarting at random times after it has applied an update? Say you’re in the middle of a very important video conference, or writing up a very important message… and your computer decides to restart without telling you. Not a good idea, imho. I actually had this happen, though it was a VMware tools update and not a Microsoft one that did it. Regardless, I wouldn’t want that to happen, at least give the user a choice whether to restart now or later especially given how many security updates get released for Windows as compared to most other oses. Better yet… allow the individually updated components of Windows to restart without requiring a system reboot. Take UNIX and/or Linux for example, you almost never need to reboot it to apply an update, the one exception being if the kernel has been updated. Every other part of the system can be updated on the fly, and only the affected services need to be restarted.
>> so Microsoft should, for the interest of all of us, patch critical bugs without asking.
…way too much damage has been made to the world by big/trusted/knowledgable people in the name of “our best interests” (whatever it happens to be at the moment) for me to consider that as a remotely reasonable compromise….
Windows Update does actually already have this exact capability:
http://www.osnews.com/permalink?358484
This capability does have its downside:
http://www.osnews.com/permalink?358567
I guess the old saying is right, “You can tell a german, but you can’t tell him much.”
Its easy to blame Microsoft because it is still their fault. Updates for windows are annoying to install, just about every one I install it asks to restart(windows vista). I say no to the reboot and it gives me a window in which it will do a forced reboot. yes Microsoft thanks for rebooting while I write my essay… After that I turned off auto updates and they are still annoying to deal with. At least when I am in Ubuntu or Debian it doesn’t keep bugging me every freaking 5 minutes to reboot.
Edited 2009-04-15 06:24 UTC
Wow….10% of all PCs everywhere. Excuse me whilst I quake in fear.
This conficker thing is so way blown out of proportion it isn’t even funny.
MS did right by patching in Oct 2008. They found the hole and plugged it. Non-issue. Anyone who doesn’t have the patch yet is probably still on dialup and refuses to take the 2 hours or more necessary to patch their PC.
McAfee has listed Conficker as a low priority threat from the beginning.
Useless media fodder, and FUD as usual.
Six months after a patch is released, 90% of all Windows machines have it? That’s great! That’s absolutely astounding. Considering the complexity of the task and the volume of absolute idiot computer users that are out there, I’m really really shocked by that figure. In fact, I see a very positive headline turned negative by Sophos to sell antivirus software.
I found it astonishing that only 10% of Windows users have NOT applied the update.
Whenever I get IM spam or IM viruses sent to me from a friend, I send them a message and say “Dude, you’ve got a virus, it’s trying to send itself to me”. Every time, the person replies and says “Yeah I know”. Well, if you know, then why the fug are you still online and allowing it to infect your friends?!
Once, I suggested to one of them that it might be a good idea to disconnect from the Internet until they had removed the virus. “Mind your own business”. Well, it IS my business if you’re sending me viruses and slowing down the whole internet by contributing towards spam. On a similar vein, yesterday I told someone that they were sending viruses through IM and they said “Yeah I know, I’m going to buy an anti-virus next month”. Heavens above, that’s over two weeks away!
Windows users need to start taking responsibility for their computers. A virus is something that needs to be attacked ASAP to protect your money, your identity and other people’s computers. No wonder all these worms, trojans and viruses run rampant on the Windows platform if users don’t consider them important enough to do anything about them!
… all of the kerfuffle about Conficker is great entertainment when you have a Linux box…
Here’s some info on unpatched holes in OS X.
http://www.h-online.com/security/Root-exploit-for-Mac-OS-X–/news/1…