[iwar] [fc:Microsoft.deflects.charges.of.worm.woes]

From: Fred Cohen (fc@all.net)
Date: 2001-09-20 20:02:46


Return-Path: <sentto-279987-2118-1001041368-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 20 Sep 2001 20:05:10 -0700 (PDT)
Received: (qmail 10032 invoked by uid 510); 21 Sep 2001 03:03:10 -0000
Received: from n26.groups.yahoo.com (216.115.96.76) by 204.181.12.215 with SMTP; 21 Sep 2001 03:03:10 -0000
X-eGroups-Return: sentto-279987-2118-1001041368-fc=all.net@returns.onelist.com
Received: from [10.1.4.53] by fg.egroups.com with NNFMP; 21 Sep 2001 03:02:48 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 21 Sep 2001 03:02:47 -0000
Received: (qmail 9148 invoked from network); 21 Sep 2001 03:02:47 -0000
Received: from unknown (10.1.10.26) by l7.egroups.com with QMQP; 21 Sep 2001 03:02:47 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 21 Sep 2001 03:02:46 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id UAA05221 for iwar@onelist.com; Thu, 20 Sep 2001 20:02:46 -0700
Message-Id: <200109210302.UAA05221@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 20 Sep 2001 20:02:46 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Microsoft.deflects.charges.of.worm.woes]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Microsoft deflects charges of worm woes  
By Robert Lemos, CNET News.com, 9/20/01
<a href="http://news.cnet.com/news/0-1003-200-7231660.html">http://news.cnet.com/news/0-1003-200-7231660.html>

 Microsoft refuted claims Wednesday that the main Web site for its
FrontPage software had been infected by the Nimda virus, despite the
antivirus software alarms set off by viewing the site. 

On Wednesday, several security experts believed that the software
giant--which has often put the responsibility on customers to patch
software holes--had apparently failed to patch at least one major
server. 

However, Christopher Budd, security program manager for Microsoft's
security response center, said that wasn't the case. 

"No one is being infected," he said.  "There is no code to infect
people."

According to Budd, a third-party content provider that apparently
created the elements for the FrontPage site had been infected by Nimda. 
The worm caused all the HTML files created by the third-party provider
to include the script that attempts to upload the worm--masquerading as
a file called "readme.eml"--to the browser's PC. 

However, even PCs with no antivirus protection wouldn't have been
harmed, because there was no file to upload. 

"It's an impotent reference," Budd said.  "For a PC to be infected by a
server, we have to have the script and the payload, but there was no
payload on the page."

When the third-party provider copied the HTML file to Microsoft's
servers, the actual virus was left behind, protecting the software
giant.  While Budd insisted the server had not been infected, he would
not make the same claim for all of Microsoft's systems.  As of Wednesday
at 3:30 p.m.  PDT, Microsoft's Web site seemed to have been fixed. 

The close call with the Nimda worm had security experts criticizing the
software giant for not protecting customers against the virus.  "They
have talked about being the repository of users' information," said Greg
Shipley, director of consulting for network-protection company
Neohapsis, "but they have trouble keeping their own stuff secure."
Microsoft hosts all the security updates and patches for its products on
its site, making it a key destination for Windows users when a worm such
as Nimda hits the Internet. 

Nimda--which is "admin," the shortened form of "system administrator,"
spelled backwards--started spreading early Tuesday morning and quickly
infected PCs and servers across the Internet.  Also known as Readme.exe
and W32.Nimda, the worm is the first to use four different methods to
infect not only PCs running Windows 95, 98, Me and 2000, but also
servers running Windows 2000. 

The worm spreads by sending e-mail messages with an infected attachment,
scanning for and infecting vulnerable Web servers running Microsoft's
Internet Information Server software, copying itself to shared disk
drives on networks, and appending JavaScript to Web pages that will
download the worm to a surfer's PC when they view the page. 

It's the latest mode of distribution that many thought had affected
Microsoft.  Visitors to the software giant's FrontPage site apparently
became the target of the Nimda worm when the site attempted to upload
the code to their computers.  Luckily for them, the code was not there. 
That should be a small comfort to customers, said Neohapsis' Shipley. 
"Not only do they have an application-development history of having
massive security flaws," he said, "they have an operations history of
having flaws."

In August, Microsoft admitted that its Hotmail e-mail service had been
infected by Code Red. 

Microsoft isn't alone, however.  This time around, several Web servers
really were infected with the worm. 

In one case, the marketing site for fast-food chain Carl's Jr.  was
infected by the worm.  Several CNET News.com readers noticed the
compromised server when the site attempted to upload the Nimda worm to
their PCs. 

"That server is hosted elsewhere," said Daniel Baker, director of IT
security for parent company CK Restaurants.  "They are aware of the
problem and will have it resolved soon." Baker added that the worm had
not infected the company's own network. 

Another site, Wininternals.com, is also infected.  Readers should not
attempt to view the site without adequate antivirus protection and
without first setting their browser security to "high."

David Dittrich, senior security engineer for the University of
Washington and a computer forensics expert, believes software makers
such as Microsoft will need to be proactive about future security holes
and treat them like product defects. 

"Somehow, as the number of patches coming out is going up exponentially,
the word has to get out to a larger number of people to apply the
patches," Dittrich said.  Rather than post an advisory on a hard-to-find
Web site, software companies should contact customers to tell them to
update their software immediately, he said. 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now!
http://us.click.yahoo.com/4mr93B/zhwCAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:46 PDT