Computerworld - We were pushing for a speedy move to the supposedly more secure Windows Server 2003 -- until we ran into the vulnerability in remote procedure call (RPC) services that use the Distributed Component Object Model. Every version of Windows, including Server 2003, is vulnerable to this latest buffer-overflow flaw. So we're rethinking our plans.
Microsoft's announcement and patch were swiftly followed by the release of exploit code, so my team and I knew a worm was sure to follow. The patch involved a reboot, which increased the amount of change control needed for rollout. We did pretty well anyway: We had over 80% of our vulnerable machines patched by early August, when the Blaster worm, which exploits the RPC flaw, hit.
Luckily, even the most trivial of firewalls stops this worm. But there are enough Windows machines without firewalls out there that the worm infected much of the Internet. Our firewall was jammed with thousands of attempts to get in, but we were unaffected -- at first.
We knew that even a good firewall isn't enough to stop a worm, so we began to analyze other routes such an infection might take. We quickly determined that our highest risk lay with laptop users.
We sent an e-mail to all laptop users and warned them not to connect to the corporate network without checking with the security team first. We also got an updated virus definition from our security software vendor, Santa Clara, Calif.-based Network Associates Inc., and began rolling that out. Fortunately, McAfee VirusScan doesn't require a system reboot on most installs. We could roll it out with minimal disruption and plan a more convenient time to install the Microsoft patch.
Our laptop users heeded our warning, and soon we were checking laptop firewall configurations and antivirus software signatures.
At this point, we felt proud of ourselves. We started thinking how foolish a big company like ours would be to allow itself to be hit by the Blaster worm. An easy patch, plenty of warning and a poorly written worm that could be blocked by the simplest of firewalls. How could you fail to stop it?
A few days later, we had our answer, as desktop after desktop lit up with virus-alert warnings for the Blaster worm and our intrusion-detection systems (IDS) went wild. Someone on the inside was spreading the worm.
We used our IDS to quickly isolate the source of the problem to one laptop user. While my colleagues frantically called the user to tell him to disconnect
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
