Microsoft's blast from the past
By Robert Lemos
CNET News.com August 12, 2004, 4:00 AM PT
A year ago, the author of the MSBlast computer worm taunted Microsoft with a message in the fast-spreading program:
"billy gates why do you make this possible? Stop making money and fix your software!!"
Bill Gates and company apparently took up the challenge. On Friday, Microsoft released to PC manufacturers Windows XP Service Pack 2, an update aimed at locking down customers' computers. SP2 took more than nine months to complete and contains significant security changes to the flagship operating system.
Microsoft's overhaul of the software underwent a fast shift in direction--from a focus on features to an overwhelming concentration on security--after the rapid spread of MSBlast last summer threw doubt on the operating system's protections.
The worm compromised more than 9.5 million Windows PCs by exploiting a flaw in the software that not many customers had actually patched, even though Microsoft had made a fix available.
"This time last year was a really exciting time," said Amy Carroll, director of product management in Microsoft's Security
Business and Technology Unit. "There wasn't a lot of sleep involved."
The MSBlast worm hit the Internet on Aug. 11, 26 days after Microsoft published a patch for the vulnerability that the worm used to spread. But many Windows users failed to vaccinate their systems, even though there was widespread expectation that a virus would emerge from the security hole. The result: The malicious program caused enough havoc to play some part
in a major power failure that affected as many as 50 million homes in the United States and Canada, though it did not cause the outage.
A year later, the release of SP2 means that Carroll and her Redmond cohorts may get at least a few hours more winks. Through
changes to the Windows XP code and configuration, the update adds better security to the operating system's handling of network
data, program memory, browsing activity and e-mail messages.
Some security companies are tentatively hopeful that the XP software fix will bolster security in the average PC.
"It is probably too early to say whether SP2 will meet its promise," said Alfred Huger, senior director of engineering
at Symantec, a security company. "That said, it's a great step in the right direction. We still have all the same fears as
before, but we are in a better place to deal with them."
Those that install the update will be better protected against MSBlast-type network worms. The security revamp has multiple
layers of redundancy that would have stopped MSBlast and the more recent Sasser worm from spreading, Microsoft's Carroll said.
For example, the flaw in the Remote Procedure Call (RPC) component in Windows that allowed MSBlast to spread has now been
fixed, she said. Even if it hadn't, SP2 has an automatic update feature that would have installed the Microsoft patch before
MSBlast propagated. Then, if a user turned off that update feature, SP2's improved firewall would have blocked the worm. And
if the firewall had been turned off, Microsoft has changed the way that Windows XP interacts with such viruses, so that MSBlast's
attempts to infect computers would have failed.
"There is a whole cascade of defenses that make the operating system more resilient overall," Carroll said.
Now Microsoft has to persuade consumers and corporate network administrators to apply the SP2 changes. The company has
repeatedly learned that customers are less than assiduous about applying updates to their systems. The Slammer worm, which
exploited a 6-month-old security hole in Microsoft SQL Server, spread widely because many companies failed to patch the flaw
during that half-year.
"This is the most secure version of Windows that we have shipped yet," said Carroll, who issued a plea for customers to
apply the patch. "That said, it is not a 'silver bullet,' and we are doing a lot of other things to address security."
Complicating matters, the update could cause problems with corporate homegrown applications, Microsoft has acknowledged.
IBM, for one, has told employees to wait for the go-ahead from management before installing the update. To allow companies time to test how the update will affect
their users, Microsoft has published a tool to enable businesses to block people from downloading and installing the update.
Giving companies a choice is one of the lessons learned by Microsoft. A handful of major worm and virus attacks in the
past three years have taught the software giant that security is not simple. The result is that the company pushes for security
on multiple fronts.
The Code Red and Nimda worms led the company to embark on its 10-year Trustworthy Computing initiative, designed to focus
Microsoft employees on building better security into products and on improving customer response. The Slammer worm convinced
the software giant to stress patching and to find ways to defend systems that are not patched. And the MSBlast worm helped
lead Microsoft to create Service Pack 2 and to finance a reward program for informants who help pinpoint virus writers.
Although it is harder to create network worms that can penetrate Windows XP SP2's defenses, it can be done, Symantec's
"It would stop the old MSBlast. I don't know if it would stop a new one," he said. "This isn't the end of the network worm,
but it makes more sense (for attackers) to focus on other methods."
Security researchers are already picking apart SP2, looking for flaws. Thor Larholm, a senior security researcher with
PivX Solutions, downloaded the software last Friday and continues to analyze it. The true test for the update will likely
come in the next few months, once those researchers' efforts bear fruit.
"Give it a few weeks, or a few months, and you will see the first vulnerability announcements regarding Service Pack 2,"