It’s been the toughest year on record and it started badly. In January 2003, system administrators running Microsoft systems were caught off guard when the devastating MS SQL Slammer worm hit the Internet at a speed never previously seen.
Slammer exploited an older vulnerability in Microsoft SQL Server and MSDE, which Microsoft had issued a patch for in July 2002.
MS SQL Slammer is not only the fastest worm to hit the Internet to date, it is probably also the smallest and most disruptive. A mere 374 bytes in size, it didn’t carry a malicious payload but merely infected other vulnerable systems. Even so, it managed to bring major disruption to the Internet’s infrastructure, cutting off large ISPs, multinational corporations, and even entire countries.
After the SQL Slammer attack, with media attention regarding the need to patch ringing in their ears, many companies moved patching up the list of priorities. It remains to be seen how long-term this change of heart turns out to be.
In June, Microsoft released a patch to fix a severe vulnerability in the RPC DCOM service, but not everyone responded in time. Three weeks later, a brutal worm, Blaster, started infecting consumer PCs around the globe. At first, businesses seemed to be protected by their perimeter firewalls, but it soon became apparent that employee home PCs and laptops were picking up the worm outside the network and then transporting it behind the perimeter defences – in effect acting as human Trojans.
Overall, in the first six months of the year, it seemed as if Microsoft's trustworthy computing initiative was bearing fruit as only 17 different Microsoft advisories were released. Since then, however, there have been a total of 43 Microsoft advisories. In particular, the handling of the Object Data flaw did not exactly promote trustworthy computing as Internet Explorer users were left vulnerable for more than three weeks after the initial patch proved inadequate.
Note that the number of vulnerabilities is significantly larger than the number of advisories, as certain things are fixed silently and most advisories fix multiple vulnerabilities discovered by various security researchers.
Looking to 2004
There is no reason why 2004 should be any better than 2003, even allowing for the fact that system administrators are getting better at installing patches and securing their systems. Unfortunately, too many companies just don't pay enough attention to this and decide to manage the increased number of incidents as best they can rather than eliminating the underlying threats.
It is likely that we will see two to three large scale worms similar to the MS Blaster and MS SQL Slammer in the next year, as well as a number of smaller viruses and worms. Some of them are likely to exploit some of the recent Internet Explorer vulnerabilities to improve their ‘efficiency’.
Client security is an area where businesses need to improve in the future. Most businesses put great effort into protecting external server systems and their perimeter devices. However, too many don't realise that a client with a vulnerable sub-system such as a browser, mail client, IM client or RPC service may be an open door to malicious attackers and worms, regardless of the perimeter security.
In 2003, the media started reporting vulnerabilities more effectively, as well as promoting the need to patch or take other protective measures. This is good news because it promotes responsible IT security, rather than just responding to ‘sensations’ after the latest worm has infected systems on a large scale.
Hopefully, 2004 will be the year where administrators are inspired to start patching and monitoring for relevant security threats before they happen rather than reacting to them afterwards. By the time the press finds out it can be too late.
Thomas Kristensen works for Secunia, an independent security research company based in Copenhagen.
See the following links for more context on the security issues mentioned in this article.