Zero-day holiday
Kelly Martin,
http://www.securityfocus.com/columnists/377?ref=rss

A few hundred million Windows XP machines lay vulnerable on the Web today, a
week after a zero-day exploit was discovered. Meanwhile, new approaches and
ideas from the academic world - that focus exclusively on children - may
give us hope for the future after all.

For this month¹s column I had planned to write a positive, cheerful article
on some of the ways security has advanced over the past year. But the
Microsoft zero-day vulnerability discovered on December 27th, 2005 has
caused much activity and stress in the security community, and therefore I
will first digress with some short commentary. There are some great things
happening in the world of computers and networks, but today¹s Windows XP
security response isn¹t one of them.

0-day holiday

With the Windows XP WMF vulnerability and exploit discovered on December
27th, we are all faced with a very difficult situation. Incredibly, most of
the world¹s computers have been suddenly found vulnerable to massive data
theft and criminal use when they reach out onto the Internet - ripe for
exploitation with great ease, even by unskilled hackers. How simple this is
to do on a web page or through email, here at the beginning of 2006, is just
astonishing. While there have been many unpatched vulnerabilities for
Windows over the years, some with effective exploits available, nothing
quite reaches the magnitude of the situation we¹re in today.

Microsoft customers are in big trouble. In my time at SecurityFocus, I have
never seen such potential for damage or such a far-reaching vulnerability.
The RPC DCOM vulnerability in 2003 saw the creation of the Blaster worm and
its variants. Blaster alone infected more than 25 million machines. Today we
have an exploit that can elude even anti-virus and IDS sensors and
compromise a system very easily. It¹s frightening. In some ways, it's also
much worse - and much easier to infect machines with strong border security.
Even without an email-bourne virus I anticipate the WMF vulnerability is
going to create greater waves than Blaster when all is said and done. A
single wrong click, even by an experienced security professional, and it¹s
game over. A simple search in Google and one click is all it takes.

A week after the zero-day vulnerability bites hard one of the world¹s most
influential software companies, we¹re told it will be still another week
until there is a fix. Based on the severity of this issue, the time delay is
unacceptable. Installing the unofficial patch is highly recommended. But
what else can we do?

Microsoft needs help from the security community. The community needs to
help Microsoft and Microsoft customers now more than ever. I truly believe
that millions of computers - perhaps tens of millions - are being
compromised by criminals right now. These include computers inside
government, military, and scientific installations. And millions of home
computers. Pretty much anyone who can reach the Web, receive email or
instant messages is vulnerable. Actual numbers and damage estimates, if they
are ever known, will follow in the weeks and months.

We encourage readers to use our free mailing lists - including Bugtraq - to
share information on workarounds to this problem, and how these can be
applied in your environment. As one of the cornerstones of the security
community, we encourage you to ask the hard questions and do whatever it
takes to protect the networks you work on from today¹s massive Windows XP
exploit threat.

Let us hope that law enforcement and politicians take note of this situation
in the weeks and months that follow, and craft (or enforce) legislation and
risk management that might help. Now, onto more positive things.

21-day holiday

With nothing positive to say about today¹s zero-day Windows exploit
situation, I¹d like to look at the bright side of computers, networks and
security for a moment.

A few months ago at the United Nation¹s World Summit, the brilliant
researchers and visionaries at MIT and the MIT Media Lab showed a prototype
of a robust, inexpensive green computer - a $100 laptop for every child,
complete with a hand-crank for power. Widely covered in the media, this is
one of the greatest initiatives I have ever seen to help spread education
and knowledge - in a safe and secure environment - to some of the world¹s
poorest children through the use of computers. I've been watching this with
great interest since it was first announced a year ago.

MIT¹s Nicholas Negroponte made a passionate speech about the importance of
education in the developing world, and how a new ubiquitous, inexpensive
communication and learning tool known as the $100 computer can make a major
difference in the lives of the poorest of the poor. I found it interesting
that when asked about the details of the technology behind the $100
computer, Negroponte repeatedly dodged the technology and focused on the
aspect of education and learning. Having traveled extensively across a few
of the world¹s poorest countries myself, I believe that this device can
indeed have a major impact on education. But how does this relate to
security?

Perhaps one of the most refreshing aspects of the $100 computer is that I
believe (and perhaps, hope) there will be no major security issues exploited
on those systems. Absolutely none. That is, none except the ones the
children find themselves. No, I¹m not naïve enough to suggest that there
won¹t be vulnerabilities. Instead, I have to believe that a community of
children could not possibly be researched, exploited and attacked by
nefarious computer researchers or even criminals. Despite some of the
terrible things that happen in our online world - including the fallout from
the past week¹s massive zero-day Windows XP vulnerability - I would hate to
ever meet someone in real life whose goal is to compromise a poor child¹s
$100 computer. Let¹s see the bright side of security, assuming there is one,
and consider the ³green computer² as a refreshing and novel concept.

The other fascinating technology found in the $100 computer is its wireless
mesh networking, first developed at MIT¹s Media Lab. This sort of organic
proximity network and "viral broadband" (PDF) can be used to build an ad-hoc
communications system, and could one day revolutionize social networks and
the way people communicate - much like the Internet itself. It¹s ideally
suited to use TCP/IP and can be highly effective even in parts of the world
where the Internet does not yet exist.

365-day holiday

I have been trying to discover some middle ground between the pristine
vision of the "green computer" for every child and Bill Gates¹ dream of a
personal computer on every desktop - not two entirely different visions, I
might add. As a visionary and a respected, powerful leader, Gates made his
dream come true - and without any foresight into security, we are faced with
the massive exploitation of the zero-day vulnerability we have today. Not
only did Gates¹ great vision make him the world¹s richest man in the
process, it also made him one the most generous - with an incredible $28.8
billion dollars in the Bill & Melinda Gates charitable foundation, here is a
man who truly makes a difference in our world. With such good intentions,
it¹s too bad his software is so often found vulnerable to malicious use.

It is with some irony, therefore, that most of the world¹s computers run
Gates¹ software but are now terribly vulnerable to exploitation, digital
theft and criminal activity even as I write this. Hundreds of millions
computers are vulnerable to the whims of just about any website owner, virus
writer, or hacker with malicious intent. I can think of a thousand different
ways to lure someone into full system compromise using this zero-day
vulnerability - and I don¹t think this is the vision Gates had ever dreamed
of.

Contrast this with the vision of MIT¹s $100 computer - and the view of it as
an extremely safe, secure place for children to learn and grow. The goal is
to build hundreds of millions of these machines too. It¹s unlikely that
Gates would support it, though, as it will be running a flavor of Linux on
AMD. It¹s unlikely that Intel will support it as well, which might be the
reason why they are one of the few organizations openly critical of MIT¹s
initiative. I hope both can step back from the technology for a moment, just
as Negroponte has done, and just focus on the betterment of the world
through children, for a change.

On the surface, the MIT green computer and the Microsoft Windows XP computer
seem to be entirely different, and in many ways they are. They take
radically different approaches to what is, ironically, the same goal: using
technology to make the world a better place. We¹ve seen what happens with a
monopoly of like systems designed around the legacy and poor security of
yesteryear; let¹s hope the upcoming MIT computer for children offers us a
glimpse of a much more secure and socially responsible world.



You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.

Reply via email to