Windows updates don’t normally feature highly on this blog… after all, they come along every month, you test them (perhaps?), install them, and leave things along for a few weeks. Sometimes there’s an out of band patch release and that ought to indicate that there is a significant problem that requires attention. So why have I been hearing so much over the last few weeks about the Win32/Conflicker.B worm with people panicking to update systems, install the latest AV updates, and generally try and catch up after being so lackadaisical in the first place?
Let me explain what I mean… according to an e-mail I received from Microsoft last week:
“Win32/Conficker.B exploits a vulnerability in the Windows Server service (SVCHOST.EXE) for Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows 2008. While Microsoft addressed this issue in October with Microsoft Security Bulletin MS08-067, and Forefront antivirus and OneCare (as well as other vendorâ€™s anit-virus products) helped protect against infections, many systems that have not been patched manually through Server Update Services and Microsoft/Windows Update or through Automatic Updates have recently come under attack by this worm. Attacked systems may lock out users, disable our update services and block access to security-related Web sites:
In response to this threat, Microsoft has:
- Updated the January version of the [MSRT] to detect and remove variants of Win32/Conficker.B. You can download this version from the MSRT from either the Microsoft Update site or through its associated Knowledge Base article.
- Created the KB article 962007 ‘Virus alert about the Win32/Conficker.B worm‘ to provide public details on the symptoms and removal methods available to address this issue.
- Announced the release of the items and the virus threat itself on the Microsoft Malware Protection Center blog.
It is our hope that these resources can assist you in resolving issues with unpatched, infected systems and that you can apply MS08-067 to any other unpatched systems as soon as possible to avoid this threat.”
I’m sure there are some people who feel that applying updates is an intrusion, an unnecessary interruption into the day (these are probably the same people that advocate turning off user account control…). Others will claim that other operating systems don’t need patching so often (I don’t know about the frequency of updates but patches on my Macs always seem pretty big and Linux is in one big patch cycle as the open source model is one of continuous improvement). Personally, I’m glad that Microsoft settled down to a predictable monthly cycle and for those who think that’s a problem because it gives hackers a predictable timeframe for reverse engineering patches and attacking weaknesses in unpatched systems it’s all the more reason why every organisation’s IT security people should be ready to look at the update announcements on the second Tuesday of every month and then to act accordingly. And when a patch comes along outside that predictable schedule to consider that, yes it’s a pain in the neck, but it might just be important…
Which brings me back to the point. Conficker (also known as Downadup). As F-Secure put it:
“First â€” It was an out-of-band update.
Second â€” It was given an ‘Exploitability Index Assessment’ of ‘1 â€“ Consistent exploit code likely’.
That kind of speaks for itself, doesn’t it?
Third â€” It allows for Remote Code Execution, in numerous versions of Windows (particularly critical for 2000, XP, and Server 2003).
All of these combined factors equals something quite serious that should be patched as soon as possible. If you are having difficulties with Automatic Updates, the bulletin links to manual downloads.
It’s always a good idea to be ready for out-of-band updates. You can subscribe to Microsoft Security Notifications here.”
The other thing that this worm has awakened is corporate IT departments saying things like “how can we check that all our machines are updated with the Microsoft update and with the latest antivirus signatures?”. Well guys, there’s a feature called Network Access Protection (NAP) and it’s implemented in Windows XP SP3, Windows Vista and Windows Server 2008. Whilst you’ve all been bleating about how Vista is bad, perhaps you should have looked a bit further and seen some of the advantages it could bring. If you still can’t stomach a Vista upgrade because somehow you think that Windows 7 will be easier from an application compatibility standpoint (I have news for you…) or think that Microsoft and security in the same sentence indicates an oxymoron then there are plenty of third party endpoint security systems with similar controls…
Perhaps we need an outbreak like this from time to time to wake up the IT Managers and persuade them to spend some money on security improvements within the infrastructure.
Here endeth the lesson. Now go and update your systems.