On Sun, 2004-04-18 at 23:16, Sean Donelan wrote:
When the Morris worm was release, there wasn't a patch available. Since then essentially every compromised computer has been via a vulnerability with a patch available or misconfiguration (or usually lack of configuration).
Key word here is "essentially". I've been involved with about a half dozen compromises that have been true zero days. Granted that's less than ground noise compared to what we are seeing today.
As far as improvements go, Microsoft's XP SP2 is a great improvement. If you have a Window's machine, implementing XP SP2 could help with a lot of the stupid vulnerabilities. Unfortunately less than 50% of Internet users have XP.
This ends up being a catch 22 all the way around. Since MS has focused on locking down XP, they have ended up focusing on a minimal market share of the problem. With this in mind, I don't think we are going to see things getting any better now that SP2 is out. For the end user running 2000 or less, it ends up sounding like "we screwed up and sold you an insecure product so now we want you to to give us more money in order to fix the problem". A fix that addressed the problem in a more universal fashion would have been cool.
Should ISPs start requiring their users to install Windows XP SP2?
Many folk have already commented on the economics of trying to require this. I think technically it would be hard to implement as well. I've done a lot of work with passive fingerprinting and from my observations you don't see enough of a difference in the packet creation to tell the difference between patched and unpatched systems. This leaves you with active fingerprinting which may fail if a personal firewall is active, or loading software on their system which is now a whole other support nightmare. Lots of overhead for little gain in my opinion. Also, don't underestimate a person's ability to shoot themselves in the foot. Windows 2003 server, out of the box, is technically one of the most secure operating systems out there because it ships with no open listening ports. Based on the auditing I've done however, it ends up being deployed even less secure than 2000 because a lot of admins end up doing the "turn everything on to get it working" thing. An uneducated end user is not something you can fix with a service pack. Chris