原始连接:
http://www.securityfocus.com/columnists/377
For this month’s column I had planned to write a positive, cheerful article on some of the ways security has advanced over the past year. But the Microsoft zero-day vulnerability discovered on December 27th, 2005 has caused much activity and stress in the security community, and therefore I will first digress with some short commentary. There are some great things happening in the world of computers and networks, but today’s Windows XP security response isn’t one of them.
0-day holiday
With the Windows XP WMF vulnerability and exploit discovered on December 27th, we are all faced with a very difficult situation. Incredibly, most of the world’s computers have been suddenly found vulnerable to massive data theft and criminal use when they reach out onto the Internet - ripe for exploitation with great ease, even by unskilled hackers. How simple this is to do on a web page or through email, here at the beginning of 2006, is just astonishing. While there have been many unpatched vulnerabilities for Windows over the years, some with effective exploits available, nothing quite reaches the magnitude of the situation we’re in today.
Microsoft customers are in big trouble. In my time at SecurityFocus, I have never seen such potential for damage or such a far-reaching vulnerability. The RPC DCOM vulnerability in 2003 saw the creation of the Blaster worm and its variants. Blaster alone infected more than 25 million machines. Today we have an exploit that can elude even anti-virus and IDS sensors and compromise a system very easily. It’s frightening. In some ways, it's also much worse - and much easier to infect machines with strong border security. Even without an email-bourne virus I anticipate the WMF vulnerability is going to create greater waves than Blaster when all is said and done. A single wrong click, even by an experienced security professional, and it’s game over. A simple search in Google and one click is all it takes.
A week after the zero-day vulnerability bites hard one of the world’s most influential software companies, we’re told it will be still another week until there is a fix. Based on the severity of this issue, the time delay is unacceptable. Installing the unofficial patch is highly recommended. But what else can we do?
Microsoft needs help from the security community. The community needs to help Microsoft and Microsoft customers now more than ever. I truly believe that millions of computers - perhaps tens of millions - are being compromised by criminals right now. These include computers inside government, military, and scientific installations. And millions of home computers. Pretty much anyone who can reach the Web, receive email or instant messages is vulnerable. Actual numbers and damage estimates, if they are ever known, will follow in the weeks and months.
We encourage readers to use our free mailing lists - including Bugtraq - to share information on workarounds to this problem, and how these can be applied in your environment. As one of the cornerstones of the security community, we encourage you to ask the hard questions and do whatever it takes to protect the networks you work on from today’s massive Windows XP exploit threat.
Let us hope that law enforcement and politicians take note of this situation in the weeks and months that follow, and craft (or enforce) legislation and risk management that might help. Now, onto more positive things.
21-day holiday
With nothing positive to say about today’s zero-day Windows exploit situation, I’d like to look at the bright side of computers, networks and security for a moment.
A few months ago at the United Nation’s World Summit, the brilliant researchers and visionaries at MIT and the MIT Media Lab showed a prototype of a robust, inexpensive green computer - a $100 laptop for every child, complete with a hand-crank for power. Widely covered in the media, this is one of the greatest initiatives I have ever seen to help spread education and knowledge - in a safe and secure environment - to some of the world’s poorest children through the use of computers. I've been watching this with great interest since it was first announced a year ago.
MIT’s Nicholas Negroponte made a passionate speech about the importance of education in the developing world, and how a new ubiquitous, inexpensive communication and learning tool known as the $100 computer can make a major difference in the lives of the poorest of the poor. I found it interesting that when asked about the details of the technology behind the $100 computer, Negroponte repeatedly dodged the technology and focused on the aspect of education and learning. Having traveled extensively across a few of the world’s poorest countries myself, I believe that this device can indeed have a major impact on education. But how does this relate to security?
Perhaps one of the most refreshing aspects of the $100 computer is that I believe (and perhaps, hope) there will be no major security issues exploited on those systems. Absolutely none. That is, none except the ones the children find themselves. No, I’m not na
