Every method of attack for the latest scourge of the Web, the
Nimda worm, was identified long ago and fixes were provided
by Microsoft. My own system was barraged by the new worm today
but I wasn't infected at all, because I keep my system up to
date. In this case, I wouldn't have had to be completely up
Current service packs and the Outlook Security Update (which
is over a year old) would have prevented infection. I wouldn't
even have needed to run antivirus software (of course, I'm not
stupid, so I do run it).
Incidentally, Outlook XP includes this prevention, so no Outlook
XP users were vulnerable to the e-mail attacks. In the case
of Code Red, Microsoft had released a fix well before the virus
hit and publicized the problem and fixes heavily, and still
people didn't apply them.
So, the big question in my mind: Why do so many users choose
not to apply security updates that are free and that prevent
I asked around about this, and got answers that I mostly found
discouraging. Vincent Weafer, Senior Director of Symantec Security
Response, feels that many home users don't know about such patches
or how to get them. As someone deeply involved in the computer
industry I had to consider this a little while before I could
accept this, but it is true.
The mainstream press reports bugs such as Nimda and will sometimes
say that you should have antivirus software running, but never
do they say that a free fix for the problem has been available
for a year. I don't expect them to. Even the trade press, us
included, almost never mentions these fixes.
Believe it or not, Windows XP will do a lot to help this situation
through its automatic
update feature, which checks the Windows Update Web site
periodically and (depending on the user's configuration) either
automatically updates the system or offers to install the updates.
Most new antivirus packages, including Symantec's new Norton
Antivirus 2002, also automatically check for new virus definitions.
But most home users don't run updated antivirus software,
and it will be a long time before they run Windows XP. That's
one reason why I'm discouraged. What's even worse, though, is
the number of system administrators that don't apply crucial
patches. One of the big issues here is that Windows NT Server
and Windows 2000 Server both install IIS by default, and many
administrators didn't even know they were running it, at least
not on all the servers they thought.
When you think about it, keeping up with security patches
should be a very important job, but there must be an awful lot
of servers that get no such maintenance on the old "if it ain't
broke don't fix it" theory. I wonder about the security of several
Web sites I run on various hosting services, where it's someone
else's job to keep up with the patching. But do they? I have
to wonder, especially since many of the patches would require
rebooting servers that host hundreds of Web sites.
Scott Culp, Manager of Microsoft's Security Response Center,
says that Microsoft has done a good job of providing and publicizing
fixes and information about them, and I have to agree that they've
done what they could do. Go to Microsoft's
TechNet Security page and you'll find lots of tools and
information. You can sign up for a mailing list to receive notification
of new vulnerabilities and fixes; on this list I found out about
the Code Red vulnerabilities and fixes at least a month before
Code Red hit. But Culp agrees that Microsoft needs to provide
better tools. The easier they can make keeping up with patches,
the more people will take advantage of them.
In the case of Nimda, it's hard to know what more they could
have done. Windows NT 4 Service Pack 6a, Windows 2000 Service
Pack 2, and Service Pack 2 for Internet Explorer 5.01 and 5.5
(or 6) would have blocked avenues of infection. All of these
have been out for a while. (Interestingly, the Microsoft Web
site says that there is no fix for IE4 and it sounds like they
have no intention of testing IE4. (If you're running IE4, upgrade
There are two new tools you absolutely should run. Microsoft's
Security Advisor analyzes your desktop system and tells
you what vulnerabilities you have and how to fix them. It can
overreact in some cases; for example, if you've got an open
file share you will receive a dire warning about it, but access
to that share may be blocked by an external firewall. You'll
need to analyze the results based on your own circumstances.
Less flashy but far cooler is HFNetChk.
This is a command-line tool that downloads a list of patches
from Microsoft's site and compares it to what's installed on
your system. It then lists the Microsoft Knowledge Base codes
for any patches not installed on your system. Best of all, you
can run it from a central location and scan the patch status
for all systems on a network. It checks NT4, Win2K, all Win2K
services (such as IIS), SQL Server, and IE5 and above.
But for all that HFNetChk does, you immediately see all the
things it doesn't do. It tells you that you have a problem,
but it doesn't do much to help you fix it. If it were to give
you an interface from which to download and install the missing
patches, that would be very cool. I'm sure Microsoft is working
on it, but this is important and I certainly hope it's a top
priority there. In the meantime, it would help if they made
more interim rollup patches which are bundles of all patches
released since the last service pack that make the patching
process more convenient. Perhaps the patches themselves should
call HFNetChk so that you know what work is left to do. In general,
anything that makes it easier to apply patches is a good thing.
Another thing Microsoft needs to do is to find better solutions
for modem users. Some of these patches are very large, and I
can see why a 28.8 user would get discouraged. Perhaps they
should make "tune-up" disks with all the current patches and
send them out through all the usual channels.
The sad truth is that security deserves greater importance
than most people are willing to give it. It's also a multi-layered
problem: Antivirus apps and firewalls and OS patches are all
important. Even though all of these can prevent some security
problems, having one solution doesn't eliminate the need for
the others. But at the very least, use the free tools and fixes
that Microsoft provides to protect yourself against known problems.
Larry has written software and computer articles since 1983.
He has worked for software companies and IT departments, and
has managed test labs at National Software Testing Labs, PC
Week, and PC Magazine.