Confickering the Internet

Quite a bit of buzz has formed around a remotely exploitable buffer overflow in the RPC Server service of all modern versions of Microsoft Windows (2000, 2003, XP, Vista, 2008 and pre-beta 7). This vulnerability is the root cause a widespread worm, known as Conficker or Downadup, exploits to spread across Windows machines. This code has been a target time and time again for attackers seeking out remotely exploitable vulnerabilities in Microsoft systems.

As usual, the discussion in the community has been centered on the IT security response, often emphasizing identifying the worm on the network and cleaning infected machines. The justification for this emphasis is that now that Microsoft has found and fixed the bug, the biggest challenge is preventing unpatched machines from remaining or becoming infected. Clearly, this reactive approach is inadequate to protect users, roughly 10 million of whom are already infected with Conficker.

To draw a public health analogy, if Microsoft was better able to vaccinate its software against vulnerabilities like these from the outset, the patch/response cycle would become obsolete. Obviously, we cannot preemptively avoid every vulnerability; bugs in software are a fact of life. However, a strong software security assurance program that integrates security into software at every step in its development lifecycle can dramatically reduce the risk of serious vulnerabilities making their way into production software. Judicious application of the right security processes and technologies are the vaccine that will make worm outbreaks, like polio, a thing of the past. We've made a lot of progress over the last few years, but it's time for the security community and press to shift the balance to spend more time talking about prevention than about treatment.

Technorati Tags: conficker downadup worm security patch