Who's really to blame for the recent worms?

This has been a bad week for Windows 2000 users because of a string of worms that exploit a recently patched Windows Plug and Play vulnerability.  Even major media outlets and automakers have felt the sting of this latest worm.  After a few days of gleeful media commentary from some of the usual suspects, people seem to have forgotten who the real culprit is.  The real reason why these latest worms have struck so quickly is because a security firm recklessly released proof-of-concept exploit code less than 24 hours after Microsoft released the patch.  Because it's so difficult for IT departments to test and patch all their computers in such a short period of time, I tried to call attention to an impending disaster last week and Zotob hit four days later.

Zotob is a classic illustration of why reasonable disclosure policies are needed.  It is obvious that Zotob was a rush job because the SMTP code for sending infected email wasn't even functional.  Zotob essentially took the proof-of-concept code that was released last Wednesday and converted it in to a fast spreading worm five days later.  While I'm not against proof-of-concept code in general because many people pay no attention to security vulnerabilities until an eminent threat appears, I've always maintained that timing is critical and there really needs to be a global standard for responsible disclosure.

Although companies who didn't patch their Windows 2000 computers bear some responsibility, five days to test and apply a security patch across a large enterprise is extremely difficult unless they had some kind of patch management solution in place.  Microsoft provides a nice patch management tool at no cost, but most organizations have not taken advantage of it.  Even the most basic of personal firewalls would have stopped this attack, but it's clear that many organizations have not learned from the past.  After this latest set of attacks, organizations should take a hard look at their security strategies.