Security Watch

Microsoft Patches: Between a Fix and a Hard Place

Plus: Symantec details global Internet threats; Metasploit sells out; Conficker rumbles.

• By Jabulani Leffall
• 04/20/2010

When dealing with some patch installations, Microsoft is between a fix and a hard place.

If Redmond patches an infected machine and the machine freezes up, Microsoft gets blamed. If they don't patch a machine and it gets infected with a Windows bug, Microsoft gets blamed. If the patch technology detects an infected machine and for that reason doesn't patch it and the bug stays on the workstation, Microsoft, once again, gets blamed.

This is how always-opinionated security and software guru Phil Lieberman of Lieberman Software laid it out for me. Lieberman, along with other security experts continue to say Microsoft wants to jump on any potential Blue Screen of Death (BSOD) or operating system freezes causing a blank blue screen when the patch is installed on an infected system.

Redmond said last week that detection logic configured in its April patch for the Windows kernel will prevent installation on machines infected with a computer virus.

Security experts believe Microsoft is acting preemptively because rootkits tend to take root in the OS, particularly where the kernel is involved. And once there, rootkits can create nearly irreversible mischief. Rootkits such as Alureon corrupt the core OS kernel and hide among bits of core processing code.

The software giant isn't taking any chances with the latest Windows kernel patch but stopped short of saying Alureon is the culprit, as was the case in February. Redmond only identified "abnormal conditions on a system" that could be the result of an infection with a computer virus that modifies some operating system files. This, according to Redmond, renders the infected computer incompatible with the most recent kernel update.

Symantec Details Internet Threats
America has once again retained a dubious top distinction: the country with the most malicious Internet activity. So says the Symantec Global Internet Security Threat report.

A few highlights:

• Bugs in browser-based applications (Internet Explorer, Mozilla Firefox, Safari, Chrome etc.) represent the fastest proliferation of IT security risks.
• Corrupt code, sold and distributed on the Internet, is becoming not only more widely available – 2.9 million new threats were developed last year in code form – but also "more complex and dangerous" through mutation.
• Manually patching computers to protect them from each new vulnerability is now a losing battle due to the growth of malware kits, Internet threats and various client side vectors along with the growth of zero-day exploits.
• Biggest increase in malicious code was concentrated in Europe, the Middle East and Africa.

The report says that the area of the world in the last item, commonly known as the "EMEA" region, now leads the world in the overall volume of new viruses, worms and Trojans created -- now, that's one big shift in the threat landscape.

Metasploit Goes Commercial
Back in October when Rapid7, a vulnerability management company, announced that it had acquired H.D. Moore's Metasploit Project for an undisclosed amount, I knew it was only a matter of time before the open source exploit and bug database would be flipped for a profit.

That time is near. This week, Rapid7 is expected to announced a new product called Metasploit Express, which will be the first commercial version of Metasploit Framework. Rapid7 said in an e-mail that it is targeting "security professionals who have limited time and even more limited budgets."

No word on price, but Metasploit Express is being billed as a user-friendly way to test network environments for "real security threats." The company stressed that by and large Metasploit, started by Moore as a community project for discourse on vulnerabilities, is still by and large an "open source, community project." To that end Metasploit 3.4, which Rapid 7 is also announcing, will include new enhancements provided by the users of the open source program in that community.

China: The Conficker Epicenter
In 2008 and 2009, I made frequent visits to mainland China, mostly Shanghai. The one thing that struck me about riding in city taxi cabs is that almost none of the taxis I hailed had seatbelts at all. A greater number, I've heard from other expatriates and locals, have only meager straps that don't really measure up to working seatbelts. I thought about this when I came across some malware statistics for the People's Republic this week.

Similarly, it seems PC safety, like taxi passenger safety, isn't a really that high a priority. PC users and cabbies alike over there are kind of just winging it. There are an estimated 17 million PCs with no antivirus or security software, according to a survey by China Internet Network Information Center and China's National Computer Network Emergency Response Technical Team.

It's probably why China, according to another CNCERT report, had about 7 million Internet Protocol addresses infected with Conficker B at the end of 2009. The number of infections varied during the second half of the year. Given the fact that there is no anti-virus software a lot of these infected PCs, the Conficker iterations are still lying dormant on millions of personal and enterprise workstations in China, according to the report.

Overall, the report points out that China hosted one in four of the world's Conficker-laced computers in the last half of 2009. There is now concern that the worm's authors may still call-up Conficker B on these computers and trigger a denial-of-service or lockout attack by ordering all of the computers to contact a victim server at the same time. Some of these victim servers are in countries such as the U.S. This could become a major issue on a global network. Such a pied piper event had been expected to jump off last year but the hoopla died down, which may turn out to be what Conficker's authors want.

I would say buckle up but, it's kind of late in the game for that. We'll have to wait and see.