4 of 15Image
The Morris Worm
Just six months ago we celebrated the 25th anniversary of the Morris Worm. By today's standards the raw number of systems affected — 6,000 — is not impressive. It looks different when you see that there were only 60,000 systems on the entire Internet on November 2, 1988.
Yes, Robert Morris, then a student at Cornell, brought down 10 percent of the entire Internet, and he did it by accident. Morris wrote a worm program as a selfish intellectual experiment. Exploiting known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as using a list of weak passwords with which to access accounts, it attempted to span the entire Internet. But a bug in the worm turned it instead into a massive distributed denial of service attack against the entire Internet.
Computer security was an academic issue before the Morris worm. After November 2, 1988 it became very real.
Conficker: Still botting after all these years
On Thursday, October 23, 2008 (yes, it was "out of band"), Microsoft published MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution. This was one of the really bad ones in that a remote user could gain administrator control of a PC and turn it into a bot. The word went out that it was important to apply the update, but you know how people are; security firm Qualys estimated that in January 30% of vulnerable PCs were still unpatched.
It was almost a month later that the first variant of Conficker, also known as Downadup and which spawned the great Waledac spam botnet, was detected. Conficker was — make that "is" because it's still alive — pretty sophisticated malware. It was capable of updating itself and was one of the principal bots to spread via file shares and USB drives.
In Europe the spread was particularly severe, affecting the military networks in France, the UK and Germany. It spread to over 200 countries and became one of the largest botnets ever.
In fact, Conficker would be blocked by decent firewall rules as well as the update. The fact that it spread so far and still lives shows just how widespread bad configurations are.
Image: The Conficker Working Group
Adobe Flash: Quick! Everyone update again!
The Adobe Flash Player Security Bulletins page shows 101 security updates, fixing some much larger number of vulnerabilities in the product since the release of version 9 a little over five years ago. None of these vulnerabilities was all that more egregious than the others, but the sheer number of them and Flash's weak updating process have meant that there are always large numbers of users who are vulnerable to known Flash vulnerabilities.
One of the most famous and consequential Flash vulnerabilities was used to penetrate RSA (the company) in order to compromise their SecureID two factor authentication tokens. Remediating this problem was expensive and, in the interim, large numbers of high-value customers were exposed.
Adobe has improved the update process, and both Google and Microsoft have (ironically) built Flash directly into their web browsers in order to use their stronger update processes to force Flash updates.