Microsoft Says Two Basic Security Steps Might Have Stopped Conficker 245
coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
Like autorun? (Score:3, Informative)
Which wasn't even properly disabled when you tried to disable it through the UI in Windows. Who were the idiots not following security best practices when they came up with that idea? Infected flash drives and non-disabled autorun were the main vectors for Conficker around here.
Re:Two basic steps (Score:5, Informative)
Yes, because it's completely impossible to turn that feature off. Oh wait...
http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off
If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?
Re:Why are we still using passwords? (Score:5, Informative)
My European bank used a one-time pad in addition already 13 years ago. They replaced it with a code generating card a while ago, for improved security (no one can make a copy of a code that's not generated yet).
My US bank still uses plain passwords.
It also uses debit and credit cards with just a magnet strip (which European stores won't accept anymore), and offers cheques (which the rest of the world stopped using in the 80s). And forget about having a giro system or SWIFT. It's truly like the dark ages over here.
Re:Two basic steps (Score:5, Informative)
It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.
1) Just as a point of clarification, Patch Tuesday is only once a month. And there's usually only about a dozen or so, only some of which are genuinely "critical". Obviously that varies though. 2) Windows Update has been a lot better for years, ever since Vista. There's nothing wrong with it now. You might be able to complain about the default settings, but they're right there and they're pretty straightforward. If you're logged in and it's set to restart automatically, it prompts you to restart or postpone it. And, obviously, you can shut down the automatic reboots or the automatically downloading/installation of updates. Besides, since moving Windows Update to an actual program after XP, there's also been a lot fewer updates that seem to require restarts. With XP, it seemed like you had to restart every single time you ran updates. Vista/7's a lot better with that.
Comment removed (Score:5, Informative)
Re:Two basic steps (Score:2, Informative)
1) Start.
2) Run.
3) sc stop wuauserv
4) And now Windows stops bugging me to restart my computer when I'm trying to read my webcomics.
(Of course, I install the update at a later time, but some of the "idiot-proofing" has made things a major pain in the ass for people who know what they're doing sometimes, such as the lack of easy customization in certain programs.)
Re:Two basic steps (Score:4, Informative)
MS is in a bind here. They are very much aware of this problem, but there is very little they can actively do against it.
It's not even MS that is the problem here, it's the way some companies (notably game companies) abuse the system and don't write to spec. In Linux, you get ravaged (to avoid a less pleasant word) if your software required more privileges than it absolutely minimally needs, and you better have a GOOD reason to ask to run as root. Hell, most packages say explicitly that you should NOT run this as root.
It's exactly the other way 'round for MS Windows. With both, old legacy reason and newer, at least as bad reasons.
The legacy reasons come from the times of the Win9x systems who arguably had zero real protection. Likewise, it didn't matter just what Registry tree you cluttered with your keys. And because it's easier and works for all users to simply slap it into the HKLM tree instead of the HKCU (aside of other, more serious, problems that you have to take into account when using HKCU), software creators didn't even think twice before sprinkling the Registry liberally with their crap. Of course, this flies right in the face of anything resembling security where HKLM or even HKCR are off limits for "user" privileged accounts. So every time this legacy junk was supposed to run, UAC throws a hissy fit.
The less acceptable reason and the one that irks me way more is that the various DRM schemes and anti-cheat crap make games require administrative privileges, not only for installation (where I could at least accept that, due to installing a device driver, these privileges are required) but also to run them. Again: To run a stupid, insignificant game, you have to bring out the big admin guns. And this is simply NOT ok.
But there is very little MS can actively do against that. As long as people buy those games despite the need for admin privs, companies will continue using DRM schemes that don't give half a crap about the system's security. And as long as this is the case, MS cannot do anything about it. What should they do?
As soon as a program requests permissions that can somehow harm the system, a sensible security watchdog function should report that something is happening that could be damaging. Else, what is it good for? The security of the system is the security of the weakest link. One link broken, the security breaks down. You can't simply "not ask just this one time". If you do that, disable it altogether. But if it really asks every time something could possibly be amiss, you get what UAC is today, along with its "allow and deny" jokes.
So please tell us, what should MS do?