The Haus

The Master .Plan

Click here for other Master .Plan columns.

August 5, 2001 - Those who do not remember history...
Some observations on the Code Red crisis

I am a history buff, as well as a computer geek. Winston Churchill once said "Those who do not remember history, are destined to repeat it", and it amazes me that we're seeing this played out in the computer industry in the form of the Code Red virus.

Robert Morris unleashed a computer worm on the internet back in 1988. The worm crashed the majority of the internet via a buffer overflow vulnerability in the fingerd daemon that was normally installed on the Sun Unix systems that powered most of the internet at that time. To this day, everyone is told to "disable the fingerd daemon-it has known vulnerabilities." This warning is due to the internet worm released in 1988. Even though the warning is really no longer applicable, very few public servers run the finger daemon anymore.

Today we have the Code Red worm. It attacks Internet Information Server via a buffer overflow in the .ida extension processor installed by default in IIS. The Code Red worm is much more elegant than the old Intenet Worm, but it's the same beast in new clothes. This is not the first time a buffer overflow has been discovered in the extension processors for IIS, and I'm sure it won't be the last. Yet, nobody seems to have learned their lesson from 1988.

Several things bother me about this whole ordeal. First, why doesn't Microsoft implement a class to handle string processing, so they can avoid all these exploits they've been getting hammered for? Why aren't their supposedly improved quality assurance procedures catching these problems? Finally, why aren't the people who are willing to run internet-accessible systems properly securing and maintaining their systems?

Microsoft doesn't want to invest money and time into things that don't add to the bottom line. IIS is really a free package-it comes with NT. Since Microsoft isn't getting any money out of IIS directly, they're not wasting money to properly code-check the software. I hope I'm wrong-I can't prove any of this. But it seems like most of the bugs that are reported by Microsoft are being caught after the fact by ouside users, and not by Microsoft themselves.

Admins are a trickier issue. Many of them are conscientious, but can't afford to firewall their systems properly. Personally, I don't classify Firewall 1 or any of the personal firewalls as proper protection either. Most of the firewall software out there is no more than packet checking or socket shielding at best. Most of the exploits nowadays are at the application level in the IP stack, guaranteeing that they slip past anything that's willing to allow a connection to a target system. The other side of the coin is ignorance. There are plenty of people out there running IIS on their personal PCs because "it's cool". Those people are NOT real admins, and don't know the risks of what they are doing.

We're going to see more Code Red. Somebody is going to take the next step and make this thing truly lethal. We're going to see some real damage done, and soon. The new Code Red II that's hammering the internet as I write this is just another step in that direction. Until all of the systems running unpatched IIS software are fixed, this thing is a threat to the internet as a whole. It may not be able to attack the systems at the foundation (most of those are UNIX or Linux systems and are invulnerable to this worm) but it is going to drown the internet in sheer volumes of traffic. We're going to be facing this thing for a long time to come. I hope the lessons sink in this time.