Internetnews.com reports that Microsoft is working on a new feature for Windows Update which will remove all worms from your system. It's slated for release at the end of the year. Personally I find every initiative to offer a service for customers to fix their systems a good one. However will this particular initiative be a good one?
In theory it might sound great: you visit Windows Update, the site scans your system for worms and other nasties and removes them for you. Wait... visit Windows Update... but if you do that, you will get the patches already, narrowing the attack window for worms. Most people who are currently suffering from Sasser haven't visited the Windows Update in quite a while, the patch was released on April 13th. If you're one of them, you're in good company: yesterday my newspaper, NRC Handelsblad, arrived very late because they had a computer network breakdown due to Sasser. After almost a month the system administrators at PCM (owner of NRC) didn't patch the computers, nor did they protect their network for worms and other crap arriving from the Internet.
Besides the point of the necessity to visit Windows Update, this feature falls into the same trap as a lot of copy protection schemes fall into: when you disable the check code, the code called by the check code is useless. Windows Update uses ActiveX controls (COM components) to perform the checks on your system. ActiveX components which are ran by Internet Explorer. IE contains a protection for malicious ActiveX components: if the 'kill bit' is set to 1, the ActiveX component will not be loaded nor ran. The kill bit is a registry value for each ActiveX component that is set to be able to run inside IE. You can use this for example to disable Macromedia Flash to run in IE. Read this KB article for details about the kill bit. What will likely be the first thing a worm will do when it enters a vulnerable system? That's right, set the kill bit for all the Windows Update ActiveX controls.
Now, to avoid this, IE has to be told via hard-coded GUID's that a set of controls with those given GUIDs always have to be ran, no matter what the kill bit says. However, this can lead to security holes as well (overwrite a registry entry where to find a given COM dll for a given GUID and you're set). With a simple registry entry, the worm can disable this new removal feature completely.
As I mentioned earlier, every initiative to protect customers and to fix infected systems has to be supported. I find it however sad to see how such an initiative is promoted as something which will help customers but in practise will probably not help anyone because it is easily disabled or circumvented.
The only thing which I think will help is to block any incoming request on any TCP port unless the user has enabled it explicitly and with that action suggests s/he knows what s/he's doing. I hope with the SP2 for XP a lot of the worms can be avoided. SP2 is slated for release later this year. However the firewall is available in XP today. Perhaps it's a good idea to release a fix now which enables the firewall on every TCP connection and disables the TCP/IP Netbios helper service if the system is not part of a domain. Users are not aware of the firewall in XP, nor are they able to find the setting somewhere on a properties tab. Releasing a fix now which will turn on the firewall will also require windows update, however it will be much smaller in size than the complete SP2.
Oh, and although it will cost a lot of money, it might be wise to distribute the SP2 on free CD's which are available with magazines and in supermarkets and gas-stations. Then, people with a modem connection to the Internet will also be able to install the service pack as well as the people who will never visit windows update because they don't know where it's for.
Previous Topic
