Study: Unpatched PCs compromised in 20 minutes (link)

Don't connect that new PC to the Internet before taking security precautions, researchers at the Internet Storm Center warned Tuesday.

According to the researchers, an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it's compromised by malware, on average. That figure is down from around 40 minutes, the group's estimate in 2003.

The Internet Storm Center, which is part of the SANS Institute, calculated the 20-minute "survival time" by listening on vacant Internet Protocol addresses and timing the frequency of reports received there.

"If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe," the center, which provides research and education on security issues, said in a statement.

The drop from 40 minutes to 20 minutes is worrisome because it means the average "survival time" is not long enough for a user to download the very patches that would protect a PC from Internet threats.

Scott Conti, network operations manager for the University of Massachusetts at Amherst, said he finds the center's data believeable.

"It's a tough problem, and it's getting tougher," Conti said.

One of Conti's administrators tested the center's data recently by placing two unpatched computers on the network. Both were compromised within 20 minutes, he said.

The school is now checking the status of computers before letting them connect to the Internet. If a machine doesn't have the latest patches, it gets quarantined with limited network access until the PC is back up to date.

"We are giving the people the ability to remediate before connecting to the network," Conti said.

The center also said in its analysis that the time it takes for a computer to be compromised will vary widely from network to network.

If the Internet service provider blocks the data channels commonly used by worms to spread, then a PC user will have more time to patch.

"On the other hand, university networks and users of high-speed Internet services are frequently targeted with additional scans from malware like bots," the group stated. "If you are connected to such a network, your 'survival time' will be much smaller."

In a guide to patching a new Windows system, the Internet Storm Center recommends that users turn off Windows file sharing and enable the Internet Connection Firewall. Microsoft's latest security update, Windows XP Service Pack 2, will set such a configuration, but users will have to go online to get the update, opening themselves up to attack.

One problem, experts say, is network administrators' reliance on patching and their assumption that users will quickly patch systems.

Speaking recently at the Microsoft TechEd developer conference in Amsterdam, Microsoft security consultant Fred Baumhardt said the day is likely to come when a virus or worm brings down everything.

"Nobody will have time to detect it," he said. "Nobody will have time to issue patches or virus definitions and get them out there. This shows that patch management is not the be-all and end-all."

Baumhardt stressed the importance of adaptability, using the human immune system as an example: "Imagine if your body said, 'Hmm, I have the flu. I've never had this before, so I'll die.' But that doesn't happen: Your body raises its temperature and so on, to buy time while other mechanisms kick in."

"If the human body did patch management the way (companies do), we'd all be dead."

Matt Loney of ZDNet UK reported from London.

I don't know about XP, but 2000 and 98 you would be open for attack DURING INSTALLATION.

It's insane.  Anyone that has a high-speed connection that isn't using a hardware firewall is just asking to get owned.  Problem is that people like that usually don't have a clue and their zombied box ends up spewing shit all over the Net in the process.

20 minutes seems too long
Sony customers I had to deal with would get the blaster worm in 5 with high speed and 15 with dialup

I had a computer get compromised in about a minute earlier this year.

Anything on an open connection that doesn't have the latest Windows updates will be fucked quicker than you can get online.

Yeah, the IT guys at the last place I worked at found this to be true a few times!  

I've never had a problem.  Just real lucky I guess.  Did two fresh installs this past spring, and they both came out fine.  Personally, I have so much security it's probably too much, but I'd rather be safe.  The one computer I built for my friend was setup with polices and open services shut down for these reasons, however, he still hasn't installed a firewall or antivirus program like I told him.  On DSL, I have know idea how he's managed to stay afloat.  I think I even put the free Zone Alarm on for him until he could get something, but he took it off

Quoted: I don't know about XP, but 2000 and 98 you would be open for attack DURING INSTALLATION. It's insane.  Anyone that has a high-speed connection that isn't using a hardware firewall is just asking to get owned.  Problem is that people like that usually don't have a clue and their zombied box ends up spewing shit all over the Net in the process.

I have a hard time believing that. I always had to do some work to setup my cable modem connnection with Windows 98. You have to install the proper protocols, or there's nothing for your computer to use to communicate with the rest of the internet.

Quoted: Quoted: I don't know about XP, but 2000 and 98 you would be open for attack DURING INSTALLATION. It's insane.  Anyone that has a high-speed connection that isn't using a hardware firewall is just asking to get owned.  Problem is that people like that usually don't have a clue and their zombied box ends up spewing shit all over the Net in the process. I have a hard time believing that. I always had to do some work to setup my cable modem connnection with Windows 98. You have to install the proper protocols, or there's nothing for your computer to use to communicate with the rest of the internet.

I think he means after you setup your TCP/IP connection.  Specially considering most people don't know how to do it without vulnerabilities.

i will go patch mine now

McAfee antivirus: check
Linksys router with hardware firewall: check

I'm feeling pretty secure here.  My computer does things that I don't really understand, but it works out ok in the end.
Ya see, the router won't let most of my games, Itunes, or even McAfee access the internet.  I tried to setup the ports and such, it just never worked.  I don't know why.  So now, if I get a new program that needs to access the net, I'll startup Zonealarm, then start up my new program.  In the case of Americas Army, I tell Zonealarm that AA can access the net anytime it wants.  From then on, I never have to start Zonealarm again, but AA can get past the firewall.  Oh, I forgot to mention that Zonealarm somehow bypasses my firewall.  I don't understand it, but whenever Linksys blocks something, I start up ZA and it'll get through after I tell ZA to let it.  I'm pretty sure that ZA just has some hidden program that actually starts whether it shows it or not.  I don't like the fact that it does that, but it works out well in the end.

J