Code Red wormed its way into servers once again this month. It almost seems as if Microsoft and computer security experts designed this piece of malicious code just to remind people how important it is to keep their software up to date. In fact, there has been so much publicity that if you are in charge of a server that hasn’t been patched, it might be time to consider how secure your job will be if management discovers that servers in your charge are infected by the Code Red worm. Let’s look at the continuing Code Red problem and the larger issue of administrators who are not keeping their machines up to date.
The Code Red menace continues
Internet traffic reports by the SANS Institute show that Code Red is still alive and trying to spread. The first serious spin-off from Code Red, Code Red II, became widely recognized during the first weekend of August, belying some managers’ claims that the Code Red worm wasn’t serious enough to justify installing the Microsoft patch.
Obviously, the people who worked on this worm have paid attention to these reports and have made the worm much more dangerous. As it infects that quarter million or so still unpatched Microsoft Internet Information Servers, it leaves a back door open to anyone who wants to take advantage of the hole to wreak havoc.
The Code Red II worm also spreads more aggressively than the original version. It leaves behind the Trojan Horse mentioned above, but otherwise it is quite similar to the original and will also be blocked or cured on systems that have performed the MS01-033 patch.
A number of administrators forgot to take into account that the Code Red worm could also attack Windows 2000 Professional machines that were running IIS. Although IIS is not installed by default, some third-party programs require it and may install it as part of their installation routines. If these Win2K Pro machines have a public IP address, they are just as susceptible to the Code Red worm. In addition, if an internal IIS server gets infected, it could infect some of these Win2K Pro machines, which could then further propagate the worm.
Administrators come into question
Nothing else this year has generated such public concern over computer security as the flood of mainstream news reports that have frightened businesses and home users alike with confusing and conflicting information about the Code Red worm.
As regular readers of this column know, Code Red is strictly a Windows NT 4.0 and Windows 2000 problem with the Indexing Service. That means that this worm poses danger to the businesses that are the main users of these operating systems and is not something that home users running Windows 9x need to be concerned with.
However, despite all the publicity, many administrators seem to be missing the boat on this vulnerability. Some managers seem to be following the age-old strategy of “leaving it to someone else.” But that just isn’t working with Code Red, which as of Aug. 1, had proved that more than 200,000 servers still hadn’t been patched or purged of the worm.
While Code Red’s threat to Internet bandwidth and its original target, the White House server, has essentially passed, there are still mutating versions of the worm, along with the possibility that other, more serious attacks could take advantage of the same IIS vulnerability.
What if the next IIS worm carries a different payload—perhaps one that wipes all files from the infected servers? If left unpatched, the vulnerability opens up system level access to the attack, so that virtually any action can be taken against the system.
What’s the holdup?
Once the problem was discovered, Microsoft and security Web sites did a good job promulgating information and the patch that inoculates machines against Code Red. Nevertheless, Code Red infected more than 300,000 servers. Even after publicity for the problem spread from industry newsletters and columns into the mainstream media, only about 70,000 additional servers were patched.
This begs the question: What’s going wrong? It’s not a notification problem. There has been tons of publicity. It’s not a software problem. The patch has been available and well publicized since June. That only leaves personnel and/or management problems.
Are the people in charge of the still-vulnerable servers simply ill equipped for this responsibility because they lack network or security training? In some companies, it seems that no one is really in charge of the network. Management is left to whichever PC-literate employees can be forced into the job regardless of their network experience. Some supervisors obviously feel that if someone can install a program, he or she is also qualified to manage it.
In other instances, the network managers of these 200,000-plus systems are well aware of the threat and the fix but have been blocked from patching their servers by management policies limiting upgrades and security.
Or the problem may be a cumbersome approval procedure requiring those who understand network threats to get approval for changes from upper management that doesn’t grasp the dangers involved. Sometimes, those outside the MIS department don’t realize the potential danger from failure to patch server software and may be far more concerned over the downtime that could occur during the upgrade process.
Whatever the particular problem is in each individual situation, it should be obvious that there are some systemic problems for organizations that have been unable, even with massive publicity, to make a relatively simple patch to critical software.
As someone concerned with security, it’s your responsibility to not just follow security updates, but also to make certain that there is a plan in place that will allow you to make the necessary repairs on an emergency basis.
Where do you think the problem lies?
Did you have trouble getting approval to patch your machines? We look forward to receiving your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.