Windows will be a security risk 'for years'

Microsoft's efforts to limit the damage from worms such as Blaster will not pay off for several years, according to security...

Microsoft's efforts to limit the damage from worms such as Blaster will not pay off for several years, according to security experts.

New Windows PCs will begin shipping with security switched on by default for the first time, with the release of Windows XP Service Pack 2 this summer, but it will take five or six years before such basic protections are common on the installed base of PCs, a Symantec executive claimed.

Such unprotected PCs are, increasingly, being used to spread worms such as Blaster and junk e-mail, usually without the PC owner's knowledge. A recent Symantec survey found that a system will, on average, receive a Blaster-generated packet of data within one second of connecting to the Internet.

"The threat will reduce slowly as we start to have security more widespread," said Nigel Beighton, Symantec's director of community defence.

"The industry has learned it has to ship technology with security switched on. But right now there are millions of Windows 98 users still out there, there is still a huge number of legacy PCs around, and it will take five or six years for that situation to change."

Last week, Microsoft revealed that the various flavours of Blaster worm have infected at least eight million PCs since it first appeared in August, based on data from its Windows Update. Security experts said the company is doing the right thing by making Windows PCs secure by default, but admitted such steps are only a beginning.

A major problem contributing to the spread of Blaster, Welchia and similar worms is that new PCs are still shipped with the flaws that allow them to spread, such as the Remote Procedure Call (RPC) flaw exploited by Blaster, analysts said.

"The Microsoft operating system ships unpatched," said Thomas Kristensen, chief technology officer of security firm Secunia. "If you go online with a broadband or dial-up connection to get the security updates, it's possible for Blaster to attack and infect your machine."

One solution would be for Microsoft or system manufacturers to add the security patches before selling a machine, but the decentralised, commodified nature of the PC industry would make this strategy difficult.

"Retailers could offer a secured PC with the updates installed, but consumers could always go and find a PC with a lower price where you have to upgrade it yourself," said Beighton. "In a commodity market, the consumer will always look for a bargain."

Rather than try to keep original equipment manufacturers up to date with security patches, Microsoft's move with SP2 will be to turn on security features such as Windows XP's built-in firewall, which will protect users from attacks such as RPC exploits.

This could have problems of its own, with some industry observers predicting it will lead to a huge upsurge in technical support calls; the firewall will block access to services that were previously available, such as game servers, unless it is reconfigured.

The move should make a difference, at least to buyers of new PCs. "Anybody who's bought an up-to-date machine in a year's time will be in a considerably better position than they are now," said Beighton, adding that the real problem are not the new PCs, but the millions of older machines still in use without protections or updates of any kind.

Even if these users are diligent, they will find it difficult to upgrade if they have a dial-up connection; Microsoft's service packs make the updates easier to download and install, but they only appear three to six months after a threat has materialised, Beighton said.

An alternative is Microsoft's patch CD program, allowing users to order a CD containing security updates for machines running Windows 98 and newer software. The CD is a one-off offering, and only contains patches up to October 2003, a Microsoft spokeswoman said.

Most users may not be that diligent. Symantec found that many worms continue to spread even after their built-in expiry date has passed, because the PC's clock has not been set properly. "That's how ill-administered they are," Beighton said.

Blaster and its ilk represent a major new trend that has emerged in hacking in the past three years or so, say security experts. Previously, attacks were carried out by individuals, but now the process has been almost entirely automated, with hackers sharing code that takes advantage of well-known exploits.

Seventy per cent of vulnerabilities in 2003 required no new exploit code, up from 60% in 2002, according to a Symantec threat report published last month. Blended attacks such as Blaster - which combine the characteristics of viruses, worms, Trojan horses and malicious code with vulnerabilities to spread an attack - are, increasingly, exploiting back doors left by previous worms.

This year, the Doomjuice and Deadhat blended attacks both made use of the back door left by MyDoom in January 2004, Symantec said.

Matthew Broersma writes for

Read more on Microsoft Windows software