[ISN] Study: Unpatched PCs compromised in 20 minutes

InfoSec News isn at c4i.org
Wed Aug 18 06:55:02 EDT 2004


By Matt Loney and Robert Lemos 
ZDNet (UK)
August 17, 2004

Don't connect that new PC to the Internet before taking security
precautions, researchers at the Internet Storm Center warned Tuesday.

According to the researchers, an unpatched Windows PC connected to the
Internet will last for only about 20 minutes before it's compromised
by malware, on average. That figure is down from around 40 minutes,
the group's estimate in 2003.

The Internet Storm Center, which is part of the SANS Institute,
calculated the 20-minute "survival time" by listening on vacant
Internet Protocol addresses and timing the frequency of reports
received there.

"If you are assuming that most of these reports are generated by worms
that attempt to propagate, an unpatched system would be infected by
such a probe," the center, which provides research and education on
security issues, said in a statement.

The drop from 40 minutes to 20 minutes is worrisome because it means
the average "survival time" is not long enough for a user to download
the very patches that would protect a PC from Internet threats.

Scott Conti, network operations manager for the University of
Massachusetts at Amherst, said he finds the center's data believeable.

"It's a tough problem, and it's getting tougher," Conti said.

One of Conti's administrators tested the center's data recently by
placing two unpatched computers on the network. Both were compromised
within 20 minutes, he said.

The school is now checking the status of computers before letting them
connect to the Internet. If a machine doesn't have the latest patches,
it gets quarantined with limited network access until the PC is back
up to date.

"We are giving the people the ability to remediate before connecting
to the network," Conti said.

The center also said in its analysis that the time it takes for a
computer to be compromised will vary widely from network to network.

If the Internet service provider blocks the data channels commonly
used by worms to spread, then a PC user will have more time to patch.

"On the other hand, university networks and users of high-speed
Internet services are frequently targeted with additional scans from
malware like bots," the group stated. "If you are connected to such a
network, your 'survival time' will be much smaller."

In a guide to patching a new Windows system, the Internet Storm Center
recommends that users turn off Windows file sharing and enable the
Internet Connection Firewall. Microsoft's latest security update,
Windows XP Service Pack 2, will set such a configuration, but users
will have to go online to get the update, opening themselves up to

One problem, experts say, is network administrators' reliance on
patching and their assumption that users will quickly patch systems.

Speaking recently at the Microsoft TechEd developer conference in
Amsterdam, Microsoft security consultant Fred Baumhardt said the day
is likely to come when a virus or worm brings down everything.

"Nobody will have time to detect it," he said. "Nobody will have time
to issue patches or virus definitions and get them out there. This
shows that patch management is not the be-all and end-all."

Baumhardt stressed the importance of adaptability, using the human
immune system as an example: "Imagine if your body said, 'Hmm, I have
the flu. I've never had this before, so I'll die.' But that doesn't
happen: Your body raises its temperature and so on, to buy time while
other mechanisms kick in."

"If the human body did patch management the way (companies do), we'd
all be dead."

More information about the ISN mailing list