Microsoft Issues New Security Patch to Ward Off Internet Hacks

Microsoft Corp. this week issued its 39th security bulletin—MS03-039—of the year. The Redmond, Wash., firm urged customers to immediately install a free patch to close a hole in Windows that could allow hackers to seize control over computers much the way the Blaster worm recently wreaked havoc.

The patch is available for free download at: http://www.Microsoft.com/security.

The patch contains an updated version of the DCOM/RPC scanning tool for IT administrators. The utility enables network administrators to identify unpatched machines. Microsoft security executives advise organizations to deploy the new DCOM/RPC tool and not the version the company released with Microsoft Security Bulletin MS03-026.

In the ultimate irony, the latest Windows security flaw was made public at almost the same time that Phil Reitinger, Microsoft’s senior security strategist, was in Washington to address the Technology Subcommittee of the House Government Reform Committee. Reitinger detailed Microsoft’s increased commitment and efforts to help customers safeguard against Internet-based attacks.

The latest vulnerability underscores the need for corporations and consumers alike to maintain a constant vigil and make good computer security part of their daily routines — or risk the consequences.

Market Impact
The litany of security holes in Microsoft’s popular Windows operating system crops up with almost monotonous regularity, despite Microsoft’s best efforts to harden its core Windows operating system software. In the last 18 months Microsoft made security a top priority. The company beefed up its core contingent of security experts to nearly 500, implemented the Trustworthy Computing initiative—which meant halting all new code development and delaying the launch of Windows Server 2003 by 16 months—and released security patches and guidelines more quickly.

Microsoft's efforts have had some noticeable results. In the last two years the company has managed to reduce significantly the number of security flaws and associated bulletins and patches. So far in 2003, Microsoft issued 39 security bulletins and patches. Although, there are still 106 days left in this calendar year, the number of incidents has steadily declined since its peak in 1999, when Microsoft released 108 security fixes.

Still, the hacks keep happening. More ominously, the hacks themselves are more severe. These Internet invasions have the ability to circumnavigate the globe faster than you can say “Magellan.”

The headlines tell the story.

• A Minneapolis high school senior was arrested and charged two weeks ago with launching a variant of the Blaster worm.
• Half a world away in Bucharest, a 24-year-old Romanian man was charged this week with unleashing another version of the Blaster worm. He faces a maximum of 15 years in prison if convicted under Romania’s tough new cyber-crime laws.
• Police in London charged two men in their early 20s—suspected of being part of an international ring of hackers called the “Thre34t-Krew”—with authoring the “TK” Trojan horse worm that infected 18,000 computers worldwide and caused an estimated $9 million in damage.
• On the other side of the globe, 100 of North America’s most active spammers, based just outside of Beijing—which they apparently felt was a safe haven—received a rude awakening. The Internet Society of China reacted forcefully to the rapidly burgeoning Spam mail and blocked 127 Spam servers on mainland China, Taiwan, and elsewhere.

Security Trends
Some aspects of computer security remain constant. They are:

• Ninety percent of the damage is still done by 10 percent of the hacks.
• The overwhelming majority of malevolent hackers are white males in their teens and twenties.
• Microsoft and Windows, the world’s number-one software manufacturer and operating system, remain the top targets.
• No software package or hardware device is 100 percent hack-proof or immune to malicious viruses.

In response to the latest spate of worms, viruses, Trojan horses, and opportunistic hacks that exploit flaws in the Windows operating system, Microsoft’s Reitinger said the company might architect Windows to automatically install the appropriate software patches. For the better part of the past decade, Microsoft sent out notifications when it released new patches. But the sheer number of these notifications sometimes served to numb consumers and corporations to the threat. Additionally, consumers and enterprises alike debated the wisdom of downloading a patch if they had not suffered any damage or been hacked. In some instances, installing a security patch caused unintended consequences and introduced interoperability and usability problems.

In the case of this latest security bulletin, MS03-39, Microsoft’s advice is unequivocal. “We definitely want people to apply this patch,” said Jeff Jones, Microsoft’s senior director of trustworthy computing security.

Best Practices
Security threats are a fact of computing life in the 21st century. That is not going to change. Ignoring the problem will not make it go away. You cannot fully hack-proof a home or office. But you can take steps to eliminate your vulnerability and thereby reduce the threat to an acceptable level. And that means making good computer security hygiene a part the organization’s regular administrative routine. Companies should:

• Know what’s on your network. Study the network configuration. Look for open ports or single ports of failure. If found, disable and dismantle them. Remove any “illegal devices” such as network sniffers or unauthorized software.
• Perform regular software inventories. This will assist the organization in maintaining compliance and keeping track of various software versions and patches.
• Rid the network of unsupported and obsolete software and hardware as quickly as possible. Unsupported or outmoded equipment is tantamount to an open invitation to hackers. Isolated pockets of Windows 98 and older Pentiums remain in many networks. Obsolete equipment increases a company’s security risk by an order of magnitude.
• Never let any one person have access to all of the administrative groups or security rights and privileges. At the same time, restrict access to sensitive data or specific administrator groups such as Active Directory, on a need-to-know basis.
• Install the latest security patches and fixes.
• Increase the degree of difficulty in penetrating the corporate network. Remain current on your anti-virus, intrusion detection, authentication, authorization, and encryption software. A hack delayed may be a hack thwarted.
• Perform daily backups.
• Implement a disaster recovery plan. This should include having data reside at a site other than corporate headquarters.
• Implement and enforce computer security policies and procedures and enforce them. The company’s computer security policies and procedures should be handed out to new employees during orientation. The company should disseminate the policies and procedures via e-mail and hard copy.
• Physically separate and segment sensitive DNS data. Companies should never, for example, allow all of their domain name (DNS) network data to reside on a single site. Organizations should put their DNS information on two separate networks. This will increase reliability and redundancy and help your firm avoid outages.
• Use multiple bandwidth providers.
• Configure DNS and Web servers to accommodate large data loads. This may not prevent your server from crashing under the weight of a denial-of-service (DoS) attack, but the servers may crash later rather than sooner.
• Redundancy is crucial. This includes redundancy in WAN bandwidth lines as well as for the company’s physical hardware. Install numerous high-availability Web clusters to deliver redundancy for the same content and disseminate it over a wide area to achieve 99.999 percent uptime.

Finally, consumers and corporate enterprises should download Microsoft’s security guidelines at: http://www.Microsoft.com/protect/.

If you don’t defend your data, no one else will.

The Yankee Group originally published this article on 12 September 2003.