Blaster

Week of August 15, 2003

It is upon us again: Rightfully or wrongfully, Microsoft, that bastion of trustworthy computing, is at the epicentre of an Internet scandal.

Microsoft published a patch for their NT+ (NT4, 2K, XP) operating systems a month ago. The patch addressed a vulnerability in the Distributed COM layer of NT's all-important Remote Procedure Call (RPC). The vulnerability could be exploited, and thus application of the patch was crucial.

Once this information was let out, it took the script kiddies only a short time to ready their attack. Suddenly Blaster was upon us, and machines were dropping off like flies. People were infecting their laptops on the home front, then logging in to their firewall-protected networks and introducing Blaster to protected areas. And few networks had the patch Microsoft offered a month earlier.

Were admins really this lazy, that they ignored Microsoft's admonitions? Not quite. The admins had been burned in the months preceding by countless bungled patches and service packs from Microsoft. The situation was so critical that many refused to update or upgrade at all. When Microsoft sent out word about the new vulnerability, many admins opted to deliberately ignore the warning, as accepting an update from Microsoft had become tantamount to system destruction.

And thus it spread. Tom Liston's LaBrea was clued in early, and provided healthy statistics on the spread of Blaster. Newspapers wrote about it, and some blamed Microsoft, and some did not. The phrase 'trustworthy computing' came up more than once, and some people wondered if there was any excuse for Blaster, or the way Microsoft handled it.

Users of Windows 2000 Service Pack 2 or earlier were deprived a workaround which it took Microsoft twenty seven days to admit would work with their operating system. In the midst of a computing crisis, people saw Microsoft pressuring customers to upgrade into Microsoft Product Activation.

Windows 95, 98, 98SE, and Me were not affected by all this. Neither were Unix, Linux, FreeBSD, Apple's OS X, Solaris, SunOS, or any other operating system. Only Microsoft NT+ - NT4, 2K, and XP. The same way it always is. Blaster probes the net for likely victims, looking on ports which only Microsoft's sad Exchange will use, and if these ports are found, Blaster sends the bomb, corrupts yet another machine, and so on. Word has it all these machines will turn into zombies on 16 August and we'll see a real DDoS attack take place.