News

Gartner says budget for Sasser, other worms raising costs

• By John K. Waters
• May 10, 2004

Industry analyst firm Gartner's recent insight that widespread worms like Sasser are raising the cost of using Windows might deserve to be filed under 'Stating the Obvious.' Nevertheless, given the budgetary slant of the observation, it is probably well worth noting. Malicious exploitations of Windows vulnerabilities have become such a common occurrence that Gartner is advising its Windows-using customers to plan for them in their budgets.

In a recently published research note, Gartner analysts Mark Nicolett and John Pescatore conclude that 'many of the vulnerabilities that continue to be identified in Windows 2000, XP and Server 2003 are easily exploitable; attackers will continue to develop worms that will cause damage equal to, or more severe than, the system shutdowns and network congestion caused by the Slammer worm. Enterprises that are dependent on Windows systems must invest both in means to patch faster and in host-based intrusion prevention software for all Windows PCs and servers.'

The W32/Sasser worm began hitting Windows systems a week ago, infecting machines all over the world. By early this week, estimates of the level of infection ranged from hundreds of thousands to millions of systems. The worm took advantage of a flaw in a Windows security and authentication component. Microsoft disclosed the vulnerability on April 13 and released a patch to fix the problem on the same day.

Despite the announcement of the vulnerability and the publication of the patch nearly a month before the attacks, Sasser found its way into a number of corporate networks. These intrusions underscore the need for Windows-based organizations to set aside resources specifically for patch management, according to Gartner.

'Simply turning on the Windows automatic update feature is not enough,' the Gartner analysts said.

Beyond improved patch management, enterprise Windows users should budget for personal firewall, antivirus and behavior-based intrusion prevention software for all Windows PCs and servers, Gartner advises.

Companies that have already invested in configuration management and software distribution systems should 'expand these efforts to include expedited patching of all Windows PCs and servers,' the analysts recommend.

Even though Gartner believes that the market for host-based intrusion prevention software will not be mature until the end of 2005, the analysts write that 'enterprises must budget for, and procure, these products now to secure their critical Windows-based systems. The cost and availability of such protection should be included in all total cost of ownership calculations when alternatives to Windows servers and PCs are being evaluated.'

Microsoft last week said that more than 200 million users had downloaded the patch for the vulnerability exploited by Sasser. That number was up from an estimated 'tens of millions' of users who had downloaded the fix for the Blaster worm in an equal period last summer, a company spokesperson said.

The Microsoft patch is available at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx. Microsoft is also providing a Sasser removal tool at http://www.microsoft.com/technet/Security/alerts/sasser.mspx.