Current event: Downadup worm infects 1.1 million machines in 24 hours
A worm known as Downadup, or also Conficker by some security companies, is spreading rampantly by exploiting a bug found – and patched – months ago in Windows machines. F-Secure believes that the worm has already compromised 35 million machines total.
Though Microsoft had deemed the security flaw important enough to issue a rare emergency update for it back in October, it has responded fairly quickly to this latest surge by the worm by adding detection for it to its malware removal tool on Tuesday.
Though Microsoft’s code has often been criticized for its alarming rate of security flaws, it is difficult to do so in this instance given this rapid response, and researchers from F-Secure and Symantec agree; the issue in this case is customers that have failed to apply the patch.
Though hackers have yet to turn the network into a botnet, the infrastructer is in place for it to do so. Every day, the worm uses a very complex algorithm to generate hundreds of domains that it would query for instructions from its masters, only any one of which the hackers would have to register to control the botnet. By contrast, as with the Srizbi botnet last year, security firms have to register every single one of those domains in order to wrest control away from the hackers. FireEye, a security company, tried to do this for a while, but it soon became too expensive to do, and the hackers regained control of their network.
This incident raises questions as to whether customers should be allowed to choose whether or not to install updates anymore. Apart from corporate customers who have to worry about the compatibility of their custom software, the time has perhaps come for security updates to be force-fed to consumers, particularly those who disable updates without realizing the full implications of that decision.
[source: link]
Comment by nhunt
January 16, 2009 @ 12:09 am
While I do understand the importance of keeping a computer’s software patched against the latest security threats, I think “force-feeding” patches to consumers is a bit of a drastic step to take. Arguably, it could result in a fairly dramatic decrease in the number of infected machines, since each individual user would not need to manually install the patch. However, it raises a number of other concerns.
For example, even though this policy of pushing patches to consumers may only be used for “critical updates” at first, inevitably the definition of exactly what a “critical update” is will broaden over time. How long will it take for companies to start bundling adware with their critical updates? In my opinion, silently pushing data onto consumers boxes puts too much trust in the developers. I enjoy the freedom of using my own judgment to decide what gets install on my systems.
Comment by erielt
January 16, 2009 @ 12:13 am
I have to say that I strongly agree with the sentiment that customers should be required to install updates, but to whom does this apply? For those who got infected, they had to go through the effort of disabling automatic update (which is on by default) in order to be vulnerable to this flaw. Although requiring patches would fix this particular flaw, can that generalization be made across all Windows users? For example, what about the security experts that use the unpatched machines to attract viruses to study and develop solutions for? Should the process for disabling updates be so complex that the average user no longer has this option? What if enabling automatic updates leads to some other issue (a dialup user never being able to fully download the large patches, yet their internet connection is always saturated when they try to go online)?
It becomes more obvious in this particular instance that the weakest link in most security systems appear to be the users. In this case, the users have allowed a problem to continue to exist even though the default option is to have it patched. I think that this raises the question, where do users fit in in the computer security arms race? Although I’m making a broad generalization here, it seems more and more ill educated actions on the part of users is the basis of the large computer security fiascos. How far should computer software go in taking any responsibility from the hands of the users? I believe that this is a clear example of how software has not gone far enough to take away responsibility for necessary actions from the numerous computer illiterate users on the internet.
Comment by alexmeng
January 16, 2009 @ 1:07 am
This is very interesting article as it presents the problem of security from the user. In this instance, the user denies or does not take the steps to secure their box by installing the update which is suppose to fix the vulnerability.
Although forcing the updates may seem to be the ideal solution for this case, I don’t necessarily agree to force the install on users. My main reasons for why is they shouldn’t force it is because the adversary could change. It could change to someone within Microsoft. Someone with Microsoft may issue a malicious update for their own personal gain since software now forces install on users. Having a system available such that it can forcefully install software to any clients is not necessarily the ideal system since we can never assume the system is to never be used maliciously. Also, what happens if the update accidentally causes the user’s system to malfunction. This defeats the protecting the user as the user can no longer use their own system. Furthermore, for the sake of the user, there may be some users who wish not to patch their system for personal research reasons. Maybe the user is doing penetrating testing, or a student in a security class attempting to apply what they learn.
Comment by Tim Crossley
January 16, 2009 @ 10:09 am
I’m a little worried about your suggestion that users be “force-fed” important updates. I take it that the point you are getting at is: from a global perspective, botnets can perform attacks such as DDoS that would be infeasible any other way. Therefore, in the interest of global computer security, we must prevent the spread of botnets as much as possible, and if that requires forcing users to update, then so be it.
Personally, I feel that this is a terrible solution. Yes, there are going to be people who do not understand what all the updates do, and therefore disable them. But that number is decreasing, as people become more aware of security risks through media exposure, and as operating systems become more insistent on updates (Vista makes it very difficult to accidentally disable updates).
I understand the desire to ensure updates on all possible computers, but just the thought of auto-installing software with admin privileges is something disturbing. Although, at the least, Microsoft should vary their update cycle
Comment by cxlt
January 16, 2009 @ 10:45 am
On the contrary, when you first install Vista, it pops up a dialog with three big buttons, one of which is very prominently ‘do not download updates.’
I understand the sentiment that forced updates are a bad thing, but you haven’t given any specific reasons in your comment as to why this is the case, and besides general paranoia and potential compatibility issues, I can’t think of any either.
I also don’t quite understand the phrase ‘auto-installing software with admin privileges’ – how would removing the option to not install updates (or limiting it to an obscure registry key) change the nature in which updates are applied?
Comment by nixusr
January 17, 2009 @ 1:14 pm
Perhaps instead of “force-feeding” customers the critical updates and/or any updates in general, they should be “force-fed” what the update(s) is/are for and be given an option; e.g. in Windows XP a user can have the option to automatically download and install, or download and choose which to install – and those have a brief explanation as to what the update does. This solution already exists; most customers (not the experienced user) go with the simple option and choose to auto-install or nothing.
I personally sit on the fence on this issue as I would prefer not to be infected by someone who isn’t aware of security risks, yet I also have had problems with patches/updates messing with my streamlined system as a patch I applied back in August would disconnect my machines from my network.
This does have a downside though, in which someone finding themselves in a situation where their system isn’t usable after applying security updates may uninstall said updates and reopen themselves to anything the patches are meant to fix.