My buddy Dwight Silverman of the Houston Chronicle has a barnburner of a post today whose key message can be boiled down to a simple phrase in all caps: PATCH IT, DAMMIT! (That’s Dwight’s phrase, from an e-mail exchange we had this morning about this very post.)
I agree completely with what I see as Dwight’s overarching message: computer security is serious business and complacency can have dire consequences. Absolutely right. But I cringe at the fear-based presentation from SANS, which is unnecessarily alarmist and seriously outdated.
Let’s start with Dwight’s headline:
That’s alarming. And so is the nut graf, which appear just above a chart that drives home the point visually:
Here’s how poisonous the Internet environment is these days: According to the SANS Internet Storm Center, just connecting an unpatched Windows XP system to the Internet can result in a malware infection in an average time of four minutes.
The implication is that you don’t dare connect to the Internet without full body armor. A casual reader would take away this message: if you go down to your local outlet mall, pick up one of those last remaining Windows XP machines, and then plug it directly into a cable modem, you’ll be infected within minutes. That is simply not accurate. And Dwight hints at that when he says, “I actually saw this happen first-hand years ago.” Me too. I remember watching in awe as the Blaster worm jumped across networks to infect Windows machines back in the summer of 2003. But that was years ago and I haven’t seen anything similar happen since those dark days.
Neither Dwight’s post nor the original SANS post that he’s using for support mention the phrase “Service Pack 2” at all. The statistics that were originally gathered, and the chart at SANS, are based on configurations running the original RTM version of Windows XP, or Service Pack 1. (At least, that’s the only interpretation of “unpatched” that I can come up with that makes this data even remotely plausible.) That universe is small and getting smaller all the time. If you bought a new PC in Fall 2004 or later, it came with SP2 integrated and was protected from the start. If you restored your Windows installation from the recovery partition or did a clean install of Windows using the included OEM media, you’re protected as well, because SP2 is integrated into those disk images. The same is true for copies of Windows XP sold at retail in the past three and a half years. (To be fair, Dwight added a reference to this fact in an update after our e-mail exchange. And if you follow the SANS links you eventually get to the Vista-ready, post-SP2 update of their guide to hardening Windows, which explicitly calls out the “significant improvement [of SP2’s default enabling of the firewall] in particular for home users” )
What’s the difference? XP SP2 was a line in the sand against network-based attacks. What Dwight calls the “rudimentary firewall” in Windows XP SP2 is on by default, blocking all unsolicited incoming connections until you allow them. It’s been remarkably effective. I’d like to see someone try this experiment with both XP SP2 and Vista in their default configurations. I strongly suspect that either system would be able to remain up and running indefinitely and would not be compromised without the participation of the user. If that weren’t true, then the Blaster worm would have had a successor and we’d be talking about it here. In short, that alarming headline and the “ticking time bomb” message simply does not apply to you if you have a reasonably modern Windows PC built in September 2004 or later. Yes, you should finish applying the latest updates to the OS and all potentially vulnerable applications (Acrobat, Flash, QuickTime, iTunes, etc.) before you begin using a network-facing PC for the first time, but you’re not at risk of having your system compromised if you decide to go to lunch before getting to that phase of setup.
If you’re using an older machine, originally shipped with a pre-SP2 build of Windows XP, you presumably installed SP2 years ago. If you need to reinstall Windows using that old, vulnerable version, just enable the original Windows firewall before you plug into the Internet. Or, better yet, download XP SP2, burn it to a CD, and apply it to your Windows machine before you plug in that Ethernet cable.
Back in 2003 and 2004, it was indeed appropriate to make sure people knew about this statistic. Today, not so much. Default settings for Windows these days certainly eliminate the possibility that you’ll get fragged just for plugging in a network cable. Yes, installing updates regularly is an essential part of a defense-in-depth strategy. Anybody who thinks they can ignore updates is a fool. But that’s only one part of a much larger awareness of security issues (which apply, by the way, even if you’re using a platform other than Windows). You should be running as a standard user, and your network should be behind a hardware router, and all connected PCs should have up-to-date antimalware protection in place, and you should avoid the kinds of behaviors that might take you to unsafe websites, and you should be vigilant of phishing attempts… In short, security awareness isn’t something you just think about once or twice a month, when patches arrive, but is a part of the overall way you approach computing.