Zero-day holiday Kelly Martin, http://www.securityfocus.com/columnists/377?ref=rss
A few hundred million Windows XP machines lay vulnerable on the Web today, a week after a zero-day exploit was discovered. Meanwhile, new approaches and ideas from the academic world - that focus exclusively on children - may give us hope for the future after all. For this month¹s column I had planned to write a positive, cheerful article on some of the ways security has advanced over the past year. But the Microsoft zero-day vulnerability discovered on December 27th, 2005 has caused much activity and stress in the security community, and therefore I will first digress with some short commentary. There are some great things happening in the world of computers and networks, but today¹s Windows XP security response isn¹t one of them. 0-day holiday With the Windows XP WMF vulnerability and exploit discovered on December 27th, we are all faced with a very difficult situation. Incredibly, most of the world¹s computers have been suddenly found vulnerable to massive data theft and criminal use when they reach out onto the Internet - ripe for exploitation with great ease, even by unskilled hackers. How simple this is to do on a web page or through email, here at the beginning of 2006, is just astonishing. While there have been many unpatched vulnerabilities for Windows over the years, some with effective exploits available, nothing quite reaches the magnitude of the situation we¹re in today. Microsoft customers are in big trouble. In my time at SecurityFocus, I have never seen such potential for damage or such a far-reaching vulnerability. The RPC DCOM vulnerability in 2003 saw the creation of the Blaster worm and its variants. Blaster alone infected more than 25 million machines. Today we have an exploit that can elude even anti-virus and IDS sensors and compromise a system very easily. It¹s frightening. In some ways, it's also much worse - and much easier to infect machines with strong border security. Even without an email-bourne virus I anticipate the WMF vulnerability is going to create greater waves than Blaster when all is said and done. A single wrong click, even by an experienced security professional, and it¹s game over. A simple search in Google and one click is all it takes. A week after the zero-day vulnerability bites hard one of the world¹s most influential software companies, we¹re told it will be still another week until there is a fix. Based on the severity of this issue, the time delay is unacceptable. Installing the unofficial patch is highly recommended. But what else can we do? Microsoft needs help from the security community. The community needs to help Microsoft and Microsoft customers now more than ever. I truly believe that millions of computers - perhaps tens of millions - are being compromised by criminals right now. These include computers inside government, military, and scientific installations. And millions of home computers. Pretty much anyone who can reach the Web, receive email or instant messages is vulnerable. Actual numbers and damage estimates, if they are ever known, will follow in the weeks and months. We encourage readers to use our free mailing lists - including Bugtraq - to share information on workarounds to this problem, and how these can be applied in your environment. As one of the cornerstones of the security community, we encourage you to ask the hard questions and do whatever it takes to protect the networks you work on from today¹s massive Windows XP exploit threat. Let us hope that law enforcement and politicians take note of this situation in the weeks and months that follow, and craft (or enforce) legislation and risk management that might help. Now, onto more positive things. 21-day holiday With nothing positive to say about today¹s zero-day Windows exploit situation, I¹d like to look at the bright side of computers, networks and security for a moment. A few months ago at the United Nation¹s World Summit, the brilliant researchers and visionaries at MIT and the MIT Media Lab showed a prototype of a robust, inexpensive green computer - a $100 laptop for every child, complete with a hand-crank for power. Widely covered in the media, this is one of the greatest initiatives I have ever seen to help spread education and knowledge - in a safe and secure environment - to some of the world¹s poorest children through the use of computers. I've been watching this with great interest since it was first announced a year ago. MIT¹s Nicholas Negroponte made a passionate speech about the importance of education in the developing world, and how a new ubiquitous, inexpensive communication and learning tool known as the $100 computer can make a major difference in the lives of the poorest of the poor. I found it interesting that when asked about the details of the technology behind the $100 computer, Negroponte repeatedly dodged the technology and focused on the aspect of education and learning. Having traveled extensively across a few of the world¹s poorest countries myself, I believe that this device can indeed have a major impact on education. But how does this relate to security? Perhaps one of the most refreshing aspects of the $100 computer is that I believe (and perhaps, hope) there will be no major security issues exploited on those systems. Absolutely none. That is, none except the ones the children find themselves. No, I¹m not naïve enough to suggest that there won¹t be vulnerabilities. Instead, I have to believe that a community of children could not possibly be researched, exploited and attacked by nefarious computer researchers or even criminals. Despite some of the terrible things that happen in our online world - including the fallout from the past week¹s massive zero-day Windows XP vulnerability - I would hate to ever meet someone in real life whose goal is to compromise a poor child¹s $100 computer. Let¹s see the bright side of security, assuming there is one, and consider the ³green computer² as a refreshing and novel concept. The other fascinating technology found in the $100 computer is its wireless mesh networking, first developed at MIT¹s Media Lab. This sort of organic proximity network and "viral broadband" (PDF) can be used to build an ad-hoc communications system, and could one day revolutionize social networks and the way people communicate - much like the Internet itself. It¹s ideally suited to use TCP/IP and can be highly effective even in parts of the world where the Internet does not yet exist. 365-day holiday I have been trying to discover some middle ground between the pristine vision of the "green computer" for every child and Bill Gates¹ dream of a personal computer on every desktop - not two entirely different visions, I might add. As a visionary and a respected, powerful leader, Gates made his dream come true - and without any foresight into security, we are faced with the massive exploitation of the zero-day vulnerability we have today. Not only did Gates¹ great vision make him the world¹s richest man in the process, it also made him one the most generous - with an incredible $28.8 billion dollars in the Bill & Melinda Gates charitable foundation, here is a man who truly makes a difference in our world. With such good intentions, it¹s too bad his software is so often found vulnerable to malicious use. It is with some irony, therefore, that most of the world¹s computers run Gates¹ software but are now terribly vulnerable to exploitation, digital theft and criminal activity even as I write this. Hundreds of millions computers are vulnerable to the whims of just about any website owner, virus writer, or hacker with malicious intent. I can think of a thousand different ways to lure someone into full system compromise using this zero-day vulnerability - and I don¹t think this is the vision Gates had ever dreamed of. Contrast this with the vision of MIT¹s $100 computer - and the view of it as an extremely safe, secure place for children to learn and grow. The goal is to build hundreds of millions of these machines too. It¹s unlikely that Gates would support it, though, as it will be running a flavor of Linux on AMD. It¹s unlikely that Intel will support it as well, which might be the reason why they are one of the few organizations openly critical of MIT¹s initiative. I hope both can step back from the technology for a moment, just as Negroponte has done, and just focus on the betterment of the world through children, for a change. On the surface, the MIT green computer and the Microsoft Windows XP computer seem to be entirely different, and in many ways they are. They take radically different approaches to what is, ironically, the same goal: using technology to make the world a better place. We¹ve seen what happens with a monopoly of like systems designed around the legacy and poor security of yesteryear; let¹s hope the upcoming MIT computer for children offers us a glimpse of a much more secure and socially responsible world. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.