A few hundred million Windows XP machines lay vulnerable on the web today, a week after a zero-day exploit was discovered. Meanwhile, new approaches and ideas from the academic world - that focus exclusively on children - may give us hope for the future after all.

For this month’s column I had planned to write a positive, cheerful article on some of the ways security has advanced over the past year. But the Microsoft zero-day vulnerability discovered on December 27, 2005, has caused much activity and stress in the security community and, therefore, I will first digress with some short commentary. There are some great things happening in the world of computers and networks, but today’s Windows XP security response isn’t one of them.

With the Windows XP WMF vulnerability and exploit discovered on December 27th, we are all faced with a very difficult situation. Incredibly, most of the world’s computers have been suddenly found vulnerable to massive data theft and criminal use when they reach out onto the internet - ripe for exploitation with great ease, even by unskilled hackers. How simple this is to do on a web page or through email, here at the beginning of 2006, is just astonishing. While there have been many unpatched vulnerabilities for Windows over the years, some with effective exploits available, nothing quite reaches the magnitude of the situation we’re in today.

Microsoft customers are in big trouble. In my time at SecurityFocus, I have never seen such potential for damage or such a far-reaching vulnerability. The RPC DCOM vulnerability in 2003 saw the creation of the Blaster worm and its variants. Blaster alone infected more than 25 million machines. Today we have an exploit that can elude even anti-virus and IDS sensors and compromise a system very easily. It’s frightening. In some ways, it's also much worse - and much easier to infect machines with strong border security. Even without an email-bourne virus I anticipate the WMF vulnerability is going to create greater waves than Blaster when all is said and done. A single wrong click, even by an experienced security professional, and it’s game over. A simple search in Google and one click is all it takes.

A week after the zero-day vulnerability bites hard one of the world’s most influential software companies, we’re told it will be still another week until there is a fix. Based on the severity of this issue, the time delay is unacceptable. Installing the unofficial patch is highly recommended. But what else can we do?

Microsoft needs help from the security community. The community needs to help Microsoft and Microsoft customers now more than ever. I truly believe that millions of computers - perhaps tens of millions - are being compromised by criminals right now. These include computers inside government, military and scientific installations. And millions of home computers. Pretty much anyone who can reach the web, receive email or instant messages is vulnerable. Actual numbers and damage estimates, if they are ever known, will follow in the weeks and months.

We encourage readers to use our free mailing lists - including Bugtraq - to share information on workarounds to this problem, and how these can be applied in your environment. As one of the cornerstones of the security community, we encourage you to ask the hard questions and do whatever it takes to protect the networks you work on from today’s massive Windows XP exploit threat.

Let us hope that law enforcement and politicians take note of this situation in the weeks and months that follow, and craft (or enforce) legislation and risk management that might help. Now, onto more positive things.

21-day holiday

With nothing positive to say about today’s zero-day Windows exploit situation, I’d like to look at the bright side of computers, networks and security for a moment.

A few months ago at the United Nation’s World Summit, the brilliant researchers and visionaries at MIT and the MIT Media Lab showed a prototype of a robust, inexpensive green computer - a $100 laptop for every child, complete with a hand-crank for power. Widely covered in the media, this is one of the greatest initiatives I have ever seen to help spread education and knowledge - in a safe and secure environment - to some of the world’s poorest children through the use of computers. I've been watching this with great interest since it was first announced a year ago.

MIT’s Nicholas Negroponte made a passionate speech about the importance of education in the developing world, and how a new ubiquitous, inexpensive communication and learning tool known as the $100 computer can make a major difference in the lives of the poorest of the poor. I found it interesting that when asked about the details of the technology behind the $100 computer, Negroponte repeatedly dodged the technology and focused on the aspect of education and learning. Having travelled extensively across a few of the world’s poorest countries myself, I believe that this device can indeed have a major impact on education. But how does this relate to security?

Perhaps one of the most refreshing aspects of the $100 computer is that I believe (and perhaps, hope) there will be no major security issues exploited on those systems. Absolutely none. That is, none except the ones the children find themselves. No, I’m not naïve enough to suggest that there won’t be vulnerabilities. Instead, I have to believe that a community of children could not possibly be researched, exploited and attacked by nefarious computer researchers or even criminals. Despite some of the terrible things that happen in our online world - including the fallout from the past week’s massive zero-day Windows XP vulnerability - I would hate to ever meet someone in real life whose goal is to compromise a poor child’s $100 computer. Let’s see the bright side of security, assuming there is one, and consider the “green computer” as a refreshing and novel concept.

The other fascinating technology found in the $100 computer is its wireless mesh networking, first developed at MIT’s Media Lab. This sort of organic proximity network and "viral broadband" (PDF) can be used to build an ad-hoc communications system, and could one day revolutionize social networks and the way people communicate - much like the internet itself. It’s ideally suited to use TCP/IP and can be highly effective even in parts of the world where the internet does not yet exist.

365-day holiday

I have been trying to discover some middle ground between the pristine vision of the "green computer" for every child and Bill Gates’ dream of a personal computer on every desktop - not two entirely different visions, I might add. As a visionary and a respected, powerful leader, Gates made his dream come true - and without any foresight into security, we are faced with the massive exploitation of the zero-day vulnerability we have today. Not only did Gates’ great vision make him the world’s richest man in the process, it also made him one the most generous - with an incredible $28.8 billion dollars in the Bill & Melinda Gates charitable foundation, here is a man who truly makes a difference in our world. With such good intentions, it’s too bad his software is so often found vulnerable to malicious use.

It is with some irony, therefore, that most of the world’s computers run Gates’ software but are now terribly vulnerable to exploitation, digital theft and criminal activity even as I write this. Hundreds of millions computers are vulnerable to the whims of just about any website owner, virus writer, or hacker with malicious intent. I can think of a thousand different ways to lure someone into full system compromise using this zero-day vulnerability - and I don’t think this is the vision Gates had ever dreamed of.

Contrast this with the vision of MIT’s $100 computer - and the view of it as an extremely safe, secure place for children to learn and grow. The goal is to build hundreds of millions of these machines, too. It’s unlikely that Gates would support it, though, as it will be running a flavour of Linux on AMD. It’s unlikely that Intel will support it as well, which might be the reason why it is one of the few organizations openly critical of MIT’s initiative. I hope both can step back from the technology for a moment, just as Negroponte has done, and focus on the betterment of the world through children, for a change.

On the surface, the MIT green computer and the Microsoft Windows XP computer seem to be entirely different, and in many ways they are. They take radically different approaches to what is, ironically, the same goal: using technology to make the world a better place. We’ve seen what happens with a monopoly of like systems designed around the legacy and poor security of yesteryear; let’s hope the upcoming MIT computer for children offers us a glimpse of a much more secure and socially responsible world.

This article originally appeared on SecurityFocus

Copyright © 2006, SecurityFocus

Related stories

• Unpatched Windows PCs own3d in less than four minutes (15 July 2008)

  https://www.theregister.com/2008/07/15/unpatched_pc_survival_drops/

• Unofficial patches defend against further IE flaw (3 October 2006)

  https://www.theregister.com/2006/10/03/zero-day_ie_fix_encore/

• MySpace adware attack hits hard (21 July 2006)

  https://www.theregister.com/2006/07/21/myspace_adware_attack/

• MS advises users to play safe with Word (24 May 2006)

  https://www.theregister.com/2006/05/24/ms_word_security_workaround/

• Trojan exploits unpatched Word vulnerability (22 May 2006)

  https://www.theregister.com/2006/05/22/trojan_exploit_word_vuln/

• Unofficial zero-day patches gain corporate support (4 April 2006)

  https://www.theregister.com/2006/04/04/0-day_patch_survey/

• Zero-day WMF flaw underscores patch problems (13 January 2006)

  https://www.theregister.com/2006/01/13/security_wmf_microsoft/

• Malware on tap scheme draws flak (10 January 2006)

  https://www.theregister.com/2006/01/10/malware_distribution_project/

• Windows beats Linux - Unix on vulnerabilities - CERT (5 January 2006)

  https://www.theregister.com/2006/01/05/windows_linux_unix_security_vulnerabilities/

• Sober up as Christmas viruses spiral (4 January 2006)

  https://www.theregister.com/2006/01/04/electric_sober/

• Data security moves front and center in 2005 (3 January 2006)

  https://www.theregister.com/2006/01/03/secfocus_2005_review/

• Rootkits, cybercrime and OneCare (27 December 2005)

  https://www.theregister.com/2005/12/27/security_review_2005/

• Sober worm prompts net perv confession (20 December 2005)

  https://www.theregister.com/2005/12/20/sober_worm_nets_criminal/

• Sober worm plans 5 January attack (8 December 2005)

  https://www.theregister.com/2005/12/08/sober_attack/