A new study released last week by the SANS Institute’s Internet Storm Center that found that an unpatched computer running Windows XP will be compromised in under 5 minutes if directly connected to the Internet. German PhD candidate and co-founder of the German Honeynet Project, Thorsten Holz, found during his tests that it takes closer to 16 hours for an unpatched PC running Windows to be compromised. In either case, this is bad news.
One could argue with their methodologies and in fact, the conclusions aren’t all that surprising given the configuration of the PCs. First, the PCs were installed with Windows XP without any service packs or security updates. That basically makes the system equivalent to a system installed in 2001 since that is when Windows XP was first released. During the past 7 years numerous worms have been written that take advantage of the vulnerabilities in Windows XP including Sasser, Bagle and Blaster just to name a few. There is little doubt that it is one of these worms that is compromising unpatched systems.
The second issue contributing to the quick compromise of the systems in this study is the fact that they are directly connected to the Internet. This means there is no firewall in front of them to protect them from the worm attacks. This certainly is rare in corporate environments and even in many homes. Nearly all companies use firewalls today as do many home users. Doing so provides a level of protection from infected hosts attempting to worm their way into other vulnerable systems.
It seems clear that patching is an absolute necessity in today’s world. If managing an enterprise network, use patch management tools to keep the systems patched. Home users should take advantage of Windows Automatic update. Enabling this feature will ensure the PC downloads the latest operating system security patches when they are released and will help keep them safe from many of the threats on the Internet today. But don’t stop there, every application installed on the computer must also be kept up-to-date on patches because vulnerabilities in third party applications can also lead to system compromise. This includes applications such as Adobe Acrobat Reader, Microsoft Office, Java, IM Clients, Skype, and any other software installed on the machine. The attackers are frequently targeting these applications as vulnerabilities in Windows are getting harder to find and even harder to exploit.
Sounds like a lot of work, doesn’t it. Well it is. And in my next article I will discuss why this model of patch and pray is flawed.