Firewall Wizards mailing list archives
Re: NIMDA, how to stop it
From: Ryan Russell <ryan () securityfocus com>
Date: Sun, 6 Jan 2002 19:25:57 -0700 (MST)
On Sat, 5 Jan 2002, Robin S. Socha wrote:
* Ryan Russell <ryan () securityfocus com> writes: The point you were trying to make was that an admin running Windows logged into the infected system and infects the PDC. I cannot see the connection to Unix worms.
Unix worms tend to be worse, because they nearly always include an exploit as their entry method. You typically don't get to make a bad user decision, beyond failing to patch.
I also cannot see the similarities between Nimda and the Unix worms I know of.
Ramen isn't too far off, in terms of the number of infection vectors.
Maybe I'm too stupid to understand http://www.cert.org/advisories/CA-2001-26.html but to me this does not look like a worm but a combination of worm, and virus.
It is.
If you mean the one hole that Nimda uses.. even with that patched, people still click on attachments, make bad choices when their browser asks them to choose, etc..Iff you allow them to do that, yes. Or if their software is fundamentally broken as in ,---- | Due to a vulnerability described in CA-2001-06 (Automatic | Execution of Embedded MIME Types), any mail software running on an x86 | platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except | IE 5.01 SP2) to render the HTML mail automatically runs the enclosed | attachment and, as result, infects the machine with the worm. `----
What is your point? There aren't any mail clients that haven't had a hole.
The only thing special about Windows is that it has most of the market share.That is incorrect. While your typical Unix usually leaves a lot to be desired in the privilege sector, Unix *users* don't usually run with super user rights.
It makes no difference. The worms and viruses for unix will simply include exploits.
If Linux wins, then the majority of worms will be written there. The security model won't make a difference, there are tons of local root exploits.FUD, Ryan. But I'll gladly follow you along a tour of "tons of root exploits on Robin's OpenBSD box" - just let me know and I'll give you shell...
You seem to be mistaking my use of the word "Linux" for OpenBSD. I'm not the one to talk to if you want your unprived OpenBSD user to break root, I don't write a lot of exploit. It's been done though, every year at Defcon. In general, OpenBSD is the exception when it comes to security. It's far from perfect, though. Take a look at the SecurityFocus vulnerability database, under OpenBSD.
Your average desktop user won't put their patches on no matter what OS they run.Therefore, the world wants client/server with admins fixing stuff for their users.
Yes, they do. They're not willing or able to get them, though. I know of a grand total of 1 exploit for Windows that was 0-day, that is for a vulnerability that wasn't known ahead of time. There are probably a few more. The point is that if patching could always happen, the Windows worm problem wouldn't be there either.
It's the diversity (read: running a less popular OS) that makes you safer, not that one is better than another.That, Ryan, is a lie, and you know it. You are making an easily disproven claim here, namely that, say, OpenBSD is as insecure as Windows.
I made no such claim. I claimed that whatever OS is the modt popular will have the problem, the problem being worms, viruses, etc.. We both know that OpenBSD will never be the majority OS for desktop users, as unfortunate as that may be for security. However, if it were, you'd see a lot more exploits for it than you do now.
If it is that simple, please show us your remote root exploit for OpenBSD and get really famous. Replace OpenBSD with any well maintained Unix, it's just that "4 years without a remote exploit in the default install ended by Ryan" has such a nice ring to it.
I won't argue the OpenBSD claim to fame. Some would say that some of the existing problems have already ended that. My Windows 98 box has also never had a remote hole in the default install, but that's because it doesn't run any services.
You mean web surfing? Yes, most schools allow that. You can get Nimda by simply visiting a website. If you've got the hole, you get it instantly.Provided you are running a broken browser and have your security settings at "idiot" level.
The security settings don't make much difference for Nimda. The users gets prompted, at best. Which browser is it that you're using that isn't "broken"?
If you're patched, then the student has to click on "yes" to be infected.How come you allow your users to do that? Execute unknown code locally, I mean? Is that part of your security policy?
Not my policy, the policy of the school in question. Again, thinking that will always save you is a fallacy. There are holes in every content filter. There are holes in every browser. If you are using a browser, there is a risk that you will have code executed locally. I'm not saying that you shouldn't therefore always allow code to be executed. Rather, I'm saying that switching from Windows does not make this problem go away.
With a time window of up to 48h or more. Therefore:hour window is good for millions of mails. Which part of "this is not a solution, it's not even a kluge, it simply *does* *not* *work* - have the vendor fix the software or get rid of the software" do you have difficulty in understanding?
The Windows for a known variant (as stated in my note) is 0 hours.
As explained above, what I have difficulty understanding is how changing software makes one bit of difference.Software broken. Exploit unavoidable. Remove software. No exploit.
Yes, if you remove all software, there will be no exploits. Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- NIMDA, how to stop it, (continued)
- NIMDA, how to stop it Alan Young (Jan 04)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)
- Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Christopher Lee (Jan 05)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
- Re: NIMDA, how to stop it Ryan Russell (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Ryan Russell (Jan 06)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 06)
- Re: NIMDA, how to stop it Ryan Russell (Jan 07)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)