Update Windows today - before it gets Blasted

Companies and home users should use Microsoft's Windows Update service immediately, before it comes under attack from systems infected with the MSBlast worm this Saturday say security experts.

The MSBlast worm (also knows as Blaster or Lovsan) has been spreading quickly around the globe since Monday by infecting systems that do not have adequate firewall protection. The worm exploits a vulnerability in certain versions of Microsoft's Windows operating systems and has been designed to launch a simultaneous attack on the Windows Update Web site from Saturday 16 August.

The attack is unlike any seen before and Microsoft could find it difficult to keep its Windows Update service running.

Jason Holloway, UK general manager at mobile security company F-Secure, believes that although a patch that fixes the exploit has been available for around a month, only half of all computers running a vulnerable version of Windows will have applied it.

The worm is only a problem for users of Windows 2000, Windows XP and possibly NT4. Windows 98, Windows 95 and Windows 3.11 are not at risk.

Holloway said that when a similar attack took place on the White House Web site last year, "it wasn't very hard to knock it offline." If enough machines are infected, the Windows Update Web server's performance will significantly degrade and it could fall over completely: "We can't guarantee that the site will be around afterwards," said Holloway.

Paul Wood, chief information security analyst at Messagelabs, believes that Microsoft has had enough time to prepare: "Plenty of bandwidth and prior notification should enable Microsoft to defend itself," said Wood. However, he said it does depend on how prevalent the worm is.

But Holloway insists that MSBlast is far more sophisticated than previous worms, and will be more difficult to defend against. "Last time, they were attacking the site through its IP address. Administrators fixed the problem by setting up a different Web server, using a different IP address and then reconfiguring the DNS."

Holloway explained that this time, the worm uses the Web site's full name and looks up its DNS on the fly. "So Microsoft can't just change the IP address or load balance against this attack."

Another potential problem is that the worm has an activation date of 16 August, but not all computers are set with the correct time and date, so the attack has already started. "Some PCs will already be mounting an attack on Windows Update and I would expect that to escalate. By Friday it could become quite difficult to connect to that site."

Additionally, MSBlast is not spread by email. Instead it scans random IP addresses, looking for machines that are not protected with a firewall. "It has port scanning abilities. If it finds a specific port open, it launches a buffer overflow attack. After this, it can take control of the machine and do pretty much what it wants -- such as download a piece of code or take over the machine," said Wood.

Both Wood and Holloway agreed that a well-configured firewall and up to date antivirus software will protect most users.