Uh oh. Has the zero-day exploit tipping point finally arrived?

Uh oh. Has the zero-day exploit tipping point finally arrived?

Summary: By way of linkage from Doc Searls comes this tale of woe from Mike, an IT guy in the trenches who, up until now, felt as though he was doing a pretty good job beating back the bad guys from the networks and users that he supports.  Says Mike of the Windows installation he oversees: So, here it is in Mid-2005, we've got a continous stream of system patches, and a continous stream of virus definitions, most of our spam is gone, and we're behind a continously updated firewall.

SHARE:
TOPICS: Security
39

By way of linkage from Doc Searls comes this tale of woe from Mike, an IT guy in the trenches who, up until now, felt as though he was doing a pretty good job beating back the bad guys from the networks and users that he supports.  Says Mike of the Windows installation he oversees:

So, here it is in Mid-2005, we've got a continous stream of system patches, and a continous stream of virus definitions, most of our spam is gone, and we're behind a continously updated firewall. This interlocking system of patches does a good job of hiding the complexity and plugging the holes so that the users can go about their business. However, it's not perfect, but hey, that's why we get paid the big bucks, right? We fix the little issues that pop up, then go back to doing our other work. This system addresses the growing volume of threats in a fairly straightforward and efficient manner. It's not perfect, but it's amazing that it works as well as it does. However, I'm not happy. In fact, I'm starting to get very worried. 

Why is Mike worried? He goes on to discuss how, despite the various previously effective layers of defense he has in place, his end users are beginning to see things like spam, virii, and phishing attacks that they theoretically shouldn't be seeing.  Not only are the bad guys apparently starting to seep through the cracks, they're doing it in record breaking time (Mike discusses zero-day exploits) and Mike can't keep up.  Has the proverbial tipping point come where the digital transgressors have finally raced ahead of most if not all state-of-the art defenses?  Could "polyculture" go along way towards mitigating your risk?  Searls thinks so saying:

The problem, I think, is less about Microsoft than it is about monoculture. What we have on desktops today is monocultural to an extreme that makes massive unprotectable vulnerabilities inevitable, regardless of the responsible company's motivations.My recommendation to companies like Mike's is to start introducing polyculture to corporate desktops. Start using other desktop operating systems and applications that are compatible with, though not identical to, Microsoft's.

But is one man's corporate standard another man's monoculture? Polycultures have their downsides too.  Hardly a day goes by where I don't receive a pitch from some security vendor that it has miraculously come up with some sort of breakthrough security technology that can do what no other technology can do in terms of keeping systems safe from evildoers.   Today is no different, particularly with Zotob on the loose. When new virii or worms surface, many of the security vendors are quick to point out that, had ZDNet's readers had their solutions in place, they would have been protected against the new exploit.  However,  this week's first security pitch (on the heels of Zotob) was less about a breakthrough and more about an annoucement that security solution provider Cenzic had ported the open source vulnerability scanner Nessus to Windows NT.  Did they say Windows NT?  Yes they did.  

It doesn't seem like we're moving in the right direction.  I tracked Mike down via e-mail to see what he thought.  He sees the polyculture approach as a patch because "Linux hasn't been shot full of holes yet" and thinks it'll be at least 15 years before we have truly secure systems. Mike has since blogged that he thinks such security must be based on capability rather than access control lists.  Being that he's a Windows guy, one can only wonder that says of his and others' expectations of the next, supposedly much more secure version of Windows that's currently codenamed Vista.  My hope is that we won't have seen "the movie" before.  But maybe that's wishful thinking.  Even though it's beta (and we should always be super careful about judging beta), Vista has already turned up with what I'll call a case of bad judgement on its developers' behalf.  Apparently, there's a peer-to-peer networking feature in Vista Beta 1 that's turned on by default -- one that uses a new version of Microsoft's peer name resolution protocol (PNRP) and connects to other beta machines as soon as an Internet connection is available.  Ironically, the acronym PRNP refers to a gene that's connected with the non-contagious Bovine Spongiform Encephalopathy (aka "Mad Cow Disease") and the similar, but contagious kissing cousin of BSE in sheep known as scrapie (contagious to other sheep that is, not humans). Time for a new acronym?

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • You do remember the Vista P2P was open...

    ... by default in the beta version. It will not be open by default in the final version. That's in the article linked.
    The fault was not letting people know about the feature clearly enough.

    Your discussion was incomplete without that information.

    Quoting:
    Microsoft does not intend to enable the peer-to-peer service by default in the final version of Windows Vista, due out late next year, said Greg Sullivan, a product manager for Windows. That means the only machines likely to be exposed by the problem are those belonging to tech-savvy beta testers, who are more able to deal with it.

    "Bugs in Beta 1, well that can be expected," said Marco Drioel, a Windows Vista tester in the Netherlands. "Just disable PNRP if you think it is a threat."
    Anton Philidor
    • How can you be sure?

      [i]You do remember the Vista P2P was open...
      ... by default in the beta version. It will not be open by default in the final version. That's in the article linked.
      The fault was not letting people know about the feature clearly enough.[/i]

      The thing is that I don't [u]know[/u] that. All I know is that a blunder was made, and that MS was caught with its pants down. Sure, that excuse (that it was left open for the beta but was never intended to be open in the final version) does sound good when it's said after the fact. But it is after the fact, and they were caught with their pants down, and it has some people questioning their ability to produce a secure-by-default OS.
      Michael Kelly
      • You do realize

        that in the posted privacy policy it was made clear what is what and that it was on. How would then it have been on by mistake is thay told people it was on prior? Any questioning that just needs to learn how to read.
        IT Scion
        • Wow

          and I need to learn how type apparently....big hands little laptop....sry.
          IT Scion
  • Makes you think about publishing exploit code.

    Apparently this recent worm was based on published exploit code.

    Maybe attention should be turned to the question of whether exploit code should be published. It's main purpose appears to be making life easy for the script kiddies.

    Sometimes the perpetrators argue that such publication motivates the software provider. But the same purpoase would be served by emailing the code to the provider.

    There's irresponsible behavior here. And it's not by Microsoft.
    Anton Philidor
  • Anton's scorn

    Geez, mention ANYTHING M$-wise, and the "usual suspects" jump on it. This article mentions M$ 3 times - and twice in the same paragraph (a quote). The idea behind this article is the zero-day tipping point! You must have MISSED the point (its on top of your head).

    As for polyculture, it works in nature so people extrapolate it into the computer world. Will it solve, or at least lessen the vulnerability issues in the system? I think it has a better CHANCE of doing it, but it may fail also. It all depends on scant data (*NIX viruses) and on group-think (If *NIX was more popular, there would be more viruses). I find it interesting that the people that buy the Linux-popular-virus theory hook, line and sinker are the SAME ones that dismiss global warming out-of-hand. But I digress . . .

    Would a Sun server/SunRay client system end up having the same problems as Windoze server/client, because it is a monoculture? No data, only speculation, but I personally doubt it.

    After 17 years in *NIX, I have yet to battle a threatening virus or worm. The biggest problems that I have faced were with patch upgrades that broke something - EVERYWHERE (monoculture example - but not security-related). Is my experience TYPICAL of similar UNIX admins around the world? Does that PROVE anything? All I know is that I would put my *NIX (pick your flavor) against anything M$ can come up with - anytime, anywhere.
    Roger Ramjet
    • Are you talking to me?

      [I am less threatening than Robert DeNiro. Trust me.]

      I did two posts.

      The first pointed out a limited and potentially misleading reference to a feature in Vista Beta 1.

      The second pointed out that a reason for quick turnaround is publication of exploit code by those who are supposed to be good guys. I disapproved.

      I didn't comment on the monoculture/polyculture issue. Another time.


      When I scorn anything, you'll know.
      Anton Philidor
      • Also, I wonder if Mr. Murphy...

        ... who opposes the global warming theory (I think) accepts the "Linux-popular-virus theory".

        You wrote:
        I find it interesting that the people that buy the Linux-popular-virus theory hook, line and sinker are the SAME ones that dismiss global warming out-of-hand.


        My feeling is that the writers of malware want to reach those people they are most likely to infect. Those people are mainly on Windows. If by some miracle they moved to Linux tomorrow, then the malware writers would follow them.

        So I think you're not entirely correct about me, either.
        Anton Philidor
        • Perhaps but the real question is even "IF" all the current

          malware writter were to move to linux what would that mean?
          Would they be able to create the same level of problems/mischief
          in the Linux world as they current have and can for the Windows
          world? Or in other words are all things equal or is one product
          more secure than another? As I states below I do believe that all
          OS's are imperfect but that does NOT mean that one might very
          well be MORE secure than another.

          Pagan jim
          Laff
          • Inherent security is a different issue.

            Even Windows is so well protected these days that malware writers are fighting software battles less than they did in the past.

            They now rely on social engineering, obtaining the cooperation - or at least the uninterest - of the user to infect pc's.

            If Linux is more secure, the malware writers and their user helpers will be equal to the challenge.
            Anton Philidor
    • > mention ANYTHING M$-wise, and the "usual suspects" jump on it

      I guess that would include you. :)
      balsover
    • Your experience is meaningless

      [i]After 17 years in *NIX, I have yet to battle a threatening virus or worm.[/i]

      This is like saying "After 17 years in Egypt, I have yet to encounter a case of frostbite". Would that convince you that Egyptians are immune to frostbite?

      Worms and viruses, ESPECIALLY ones that rely on email/IM to spread, thrive on very large numbers of poorly administered home user machines. There has never, in the history of the world, been a very large *NIX network of home user machines. MacOSX is as close as it comes but if I can only target 1 platform, I will go after the platform that lives on 95% of home machines, not the one with only 5%. Those that say "well, why don't 5% of the worms target OSX?" need to ask themselves if the equation must be linear. Just because 5% of men like wearing bras (sickos!) doesn't mean that 5% of bra advertising will be targetted towards men with fetishes!

      So to answer your question: "Does that PROVE anything?" I don't know, it depends on if you think Egyptians are immune to frostbite! Now, speaking of global warming...

      FYI: After 17 years in MS land (starting with MS-DOS), I too have yet to battle a threatening virus or worm.
      NonZealot
      • All OS's are imperfect...still that does not mean that

        one might be more secure than another or in other words better.
        The fact that everyhing made by man is likely to be flawed does not
        mean that one thing made by man will be equally flawed as another
        thing made by man. It is likely that flaws like people will vary.

        Heck even things made by God are flawed look at the human
        eye...it is not perfect or flawless and even more obvious...Poodles!!!

        Pagan jim
        Laff
      • Your argument doesn't hold water

        I really hate the Windows has 95% of the market, thus that's where all the worms, viri, etc are.

        First of all, of actual machines in use, Windows has far less than 95%. It's actually more like 80-85%. Remember, sales do not equate to machines in use. There are so many factors that skew the 'market share' numbers in Windows favor that it's totally inaccurate to depend on them, but that's another topic.

        Second, hackers and virus writers that really wanted to be famous and cause a lot of problems would go after web servers. And what platform is used for a far majority of web servers? Unix based systems! So, why don't they go after those? I'm not saying it's impossible. What I am saying is that it's far easier on Windows and next to impossible on Unix to cause a lot of damage and problems. Thus, Windows is the focus. Unix (and Mac OS X included in that) is inherently more secure. That's a fact. I don't care what Windows supporters want to claim about market share and such.

        Finally, I wouldn't say this is all Microsoft's doing. In part, the problems are caused by the public's desire for backwards compatibility. In part, it is also due to the need to support eight billion little add-ons (both software and hardware). Apple had the advantage of a relatively small user base when switching to a totally new OS.

        Still, stop with the whole market share answer to virus, worm and adware problems. It's only a very small part of the reason.
        openMind
        • They do

          "And what platform is used for a far majority of web servers? Unix based systems! So, why don't they go after those?"

          They do and quite often. Go check out Zone-H stats. And whether people like it or not, market share is the biggest reason for the amount the exploits towards a specific OS. Market share can't explain away success rates but does cause MS to be the largest target on a whole.
          IT Scion
          • Missed the point

            The whole point is success rate. I don't care how often someone tries to attack. If it rarely succeeds, you're well defended.

            Notice I didn't say they never try to attack the Unix systems. And Mac OS X is based on that same kind of secure system. So, they are inherently better protected. Not impossible.

            In the end, it is Windows' lack of strong security that gets it into trouble, not it's market share.
            openMind
          • It's a numbers game

            The success rate is a simple numbers game in comparison the amount of attempts. Looking at server share and pointing to that as the reason nix is more secure while most all of the desktops in the world are running Win is simply not a sound argument. Maybe this will help.

            http://www.contractoruk.com/news/002139.html
            IT Scion
    • I always love to here this one

      The "If *NIX was more popular, there would be more viruses" FUD

      Notice to ALL.. UNIX runs the internet!!! There are more UNIX servers in the wild than Windows servers. Get it through your thick skulls.
      FreeBSD
      • Maybe this will enlighten you a little.

        Since the vast majority of exploits hit the end user, server share is of less importance. Nothing to absord into the skull on that one except simple math. Many articles point in the same direction as this one. It's not baseless and is a logical and sound argument. Blanketly stating server share on the net as any grounds for dismissal is misleading and not looking at the whole picture.


        http://www.contractoruk.com/news/002139.html
        IT Scion
    • Excuse me, but the point is way over there ------>

      It seems to me that you've missed the point about the issue about OS popularity versus OS vulnerability.

      While there may be issues about one OS being inherently less secure than another, the main point here is one of critical mass. Virus writers are going to go after the group where they will have the largest impact.

      It's been asked why they don't go after web servers as they are so prevalent. The answer here is quite simple.

      Corporate systems (both desktops and servers) are, as a general rule, far less succeptible to viruses as they tend to have more knowledgable people managing them.

      Home PCs, however, are owned and operated largely by people who really don't have much of a clue about how the things work. This leaves them highly vulnerable, simply because they don't know any better.

      If people started moving en masse over to Linux or any other OS, you'd still have the same issues; those people who know better will have their machines well fortified, while those that don't will have a myriad of vulnerabilities that they aren't aware of.

      The problem really is that simple.
      ackitsme