Re: NIMDA, how to stop it

[Ryan Russell <ryan () securityfocus com>]

On Sat, 5 Jan 2002, Robin S. Socha wrote:

> * Ryan Russell <ryan () securityfocus com> writes:
> The point you were trying to make was that an admin running Windows
> logged into the infected system and infects the PDC. I cannot see the
> connection to Unix worms.

Unix worms tend to be worse, because they nearly always include an exploit
as their entry method.  You typically don't get to make a bad user
decision, beyond failing to patch.

> I also cannot see the similarities between
> Nimda and the Unix worms I know of.

Ramen isn't too far off, in terms of the number of infection vectors.

> Maybe I'm too stupid to understand
> http://www.cert.org/advisories/CA-2001-26.html but to me this does not
> look like a worm but a combination of worm, and virus.

It is.

> > If you mean the one hole that Nimda uses.. even with that patched, people
> > still click on attachments, make bad choices when their browser asks them
> > to choose, etc..
>
> Iff you allow them to do that, yes. Or if their software is fundamentally
> broken as in
> ,----
> | Due to a vulnerability described in CA-2001-06 (Automatic
> | Execution of Embedded MIME Types), any mail software running on an x86
> | platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except
> | IE 5.01 SP2) to render the HTML mail automatically runs the enclosed
> | attachment and, as result, infects the machine with the worm.
> `----

What is your point?  There aren't any mail clients that haven't had a
hole.

> > The only thing special about Windows is that it has most of the
> > market share.
>
> That is incorrect. While your typical Unix usually leaves a lot to be
> desired in the privilege sector, Unix *users* don't usually run with
> super user rights.

It makes no difference.  The worms and viruses for unix will simply
include exploits.

> > If Linux wins, then the majority of worms will be written there.  The
> > security model won't make a difference, there are tons of local root
> > exploits.
>
> FUD, Ryan. But I'll gladly follow you along a tour of "tons of root
> exploits on Robin's OpenBSD box" - just let me know and I'll give you
> shell...

You seem to be mistaking my use of the word "Linux" for OpenBSD.  I'm not
the one to talk to if you want your unprived OpenBSD user to break root, I
don't write a lot of exploit.  It's been done though, every year at
Defcon.

In general, OpenBSD is the exception when it comes to security.  It's far
from perfect, though.  Take a look at the SecurityFocus vulnerability
database, under OpenBSD.

> > Your average desktop user won't put their patches on no matter what OS
> > they run.
>
> Therefore, the world wants client/server with admins fixing stuff for
> their users.

Yes, they do.  They're not willing or able to get them, though.  I know of
a grand total of 1 exploit for Windows that was 0-day, that is for a
vulnerability that wasn't known ahead of time. There are probably a few
more.  The point is that if patching could always happen, the Windows worm
problem wouldn't be there either.

> > It's the diversity (read: running a less popular OS) that makes you
> > safer, not that one is better than another.
>
> That, Ryan, is a lie, and you know it. You are making an easily disproven
> claim here, namely that, say, OpenBSD is as insecure as Windows.

I made no such claim.  I claimed that whatever OS is the modt popular will
have the problem, the problem being worms, viruses, etc..  We both know
that OpenBSD will never be the majority OS for desktop users, as
unfortunate as that may be for security.  However, if it were, you'd see
a lot more exploits for it than you do now.

> If it is
> that simple, please show us your remote root exploit for OpenBSD and get
> really famous. Replace OpenBSD with any well maintained Unix, it's just
> that "4 years without a remote exploit in the default install ended by
> Ryan" has such a nice ring to it.

I won't argue the OpenBSD claim to fame.  Some would say that some of the
existing problems have already ended that.  My Windows 98 box has also
never had a remote hole in the default install, but that's because it
doesn't run any services.

> > You mean web surfing?  Yes, most schools allow that.  You can get
> > Nimda by simply visiting a website.  If you've got the hole, you get
> > it instantly.
>
> Provided you are running a broken browser and have your security settings
> at "idiot" level.

The security settings don't make much difference for Nimda.  The users
gets prompted, at best.  Which browser is it that you're using that isn't
"broken"?

> > If you're patched, then the student has to click on "yes" to be
> > infected.
>
> How come you allow your users to do that? Execute unknown code locally,
> I mean? Is that part of your security policy?

Not my policy, the policy of the school in question.  Again, thinking that
will always save you is a fallacy.  There are holes in every content
filter.  There are holes in every browser.  If you are using a browser,
there is a risk that you will have code executed locally.  I'm not saying
that you shouldn't therefore always allow code to be executed.  Rather,
I'm saying that switching from Windows does not make this problem go away.

> With a time window of up to 48h or more. Therefore:
>
> > > hour window is good for millions of mails. Which part of "this is not
> > > a solution, it's not even a kluge, it simply *does* *not* *work* -
> > > have the vendor fix the software or get rid of the software" do you
> > > have difficulty in understanding?

The Windows for a known variant (as stated in my note) is 0 hours.

> > As explained above, what I have difficulty understanding is how
> > changing software makes one bit of difference.
>
> Software broken. Exploit unavoidable. Remove software. No exploit.

Yes, if you remove all software, there will be no exploits.

                                        Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards