Microsoft got off lightly with Sasser worm

I work in the Asia Pacific branch of one of the big 3 global IT outsourcers and I'd like to share an opinion on Sasser and this article in particular.

Microsoft has gotten off the hook with the media in regards to this issue quite nicely. To remind those that have forgotten: Several months back Microsoft switched from releasing security patches as were required to holding onto them and then releasing them in monthly installments. When do you want to feel secure? Now or later?

My take is that this move to release the patches in monthly installments is a PR exercise rather than one that is designed to help users and administrators. This was taken one step further in the latest round of patch releases where Microsoft bundled many fixes into just a few patches. These patches were essentially 'security rollup packs' or mini 'service packs'. When one patch changes so many things it increases the chances of the patch causing trouble with a given configuration. If a problem is found then the fixes for the - say - 8 vulnerabilities cannot be applied due to an issue with the fix for just one of them. How this new patch roll up system protects end users I can't quite understand.

My problem with the article stems from the implication that companies - and by extension their IT service partners - are 'idiots and 'dumb'.

Take a look at these two links as to why the MS04-011 patch was not applied immediately across the board: http://support.microsoft.com/default.aspx?kbid=841384 http://support.microsoft.com/default.aspx?kbid=841382 Now imagine that you are a virus writer and you now have details on many security issues in Microsoft OS's that are addressed by 3 newly released critial patches.

If you want your worm to last longer and spread faster wouldn't you choose to exploit one of the holes fixed in the patch that MS has told it's customers that 'could cause issues with certain configurations'? I would.

Bear in mind also that the spread of this worm might by lower due to the increased adoption of firewalls due to spread of previous worms. I can tell you that even though Broadband uptake in the Asia Pacific region is climbing most configurations shipped involve NAT based firewalled routers. So even though the potential for spreading is higher due to the faster connection speed many users simply aren't being infected like they used to be.

It has been reported that eEye - the security firm who discovered several of the vulnerabilities that have been addressed with this new round of patches - reported some of the issues to Microsoft over 6 months ago. So not only do we have an issue where underground knowledge of these holes may have existed for at least that period of time, we also now have a fix that cannot be safely applied to certain configurations and an exploit in the wild that is spreading rapidly.

Ultimately my corporate customers will make a judgement on how Microsoft has progressed with their "Trustworthy Computing initiate" and will decide whether to migrate to alternatives to Microsoft that are deemed more secure by a growing majority.

I realise that this 'comment' has ended up being larger than the initial article but I hope that it's sufficiently short enough for you to post if you see fit. Feel free to publish my name if you wish. Keep up the good work with the Inquirer. It's one of my daily destinations.

Regards,
Paul Jansen