Security threats Toolkit

Security time bomb is triggered by 'rogue laptops'

Tags:
Vulnerability,
Lsass,
Sasser

Munir Kotadia ZDNet.co.uk

Published: 04 Jun 2004 18:00 BST

Unpatched notebook PCs are a weak link in enterprise security arrangements, experts warned on Friday.

Most enterprises have a significant number of desktop PCs that are vulnerable to an attack from the numerous worms and viruses that already exist on the open Internet; but these machines are protected, temporarily, by the corporate firewall.

The LSASS vulnerability, which Microsoft patched in April, is still causing a nuisance because there are so many unpatched computers connected to the Internet. Many of these machines are behind a corporate firewall and have so far escaped infection, but security experts say they represent a security time bomb that could be set off by an infected laptop connecting to the internal network.

Mikko Hyppönen, director of antivirus research at F-Secure, said the popularity of the Korgo worm, which takes advantage of the LSASS vulnerability in Microsoft -- the same vulnerability exploited by the Sasser worm -- shows that there must be a lot of computers that have not been updated.

"There are lots of unpatched machines in internal networks that could remain unpatched for years. They are not affected by the initial outbreak because corporate firewalls are protecting them. But eventually, someone brings in a laptop that has been infected and the worm gains access to the closed network," Hyppönen said.

Patrick Hinojosa, chief technical officer at antivirus firm Panda Software, agreed this was a big problem. He said "rogue laptops", which are used by people that are rarely in the office, are usually patched late and can easily bypass the perimeter security measures.

"One problem is that most IT departments do not have centralised control over security on rogue laptops -- they are used by someone that is on the road and are the last computers to get patched by the IT department," Hinojosa said.

Hinojosa said that when one of these rogue computers releases a worm onto the internal network, it spreads very quickly.

"If it is a network-aware worm -- like MSBlast or Sasser -- the speed at which it can go through the subnet is incredible. This is a big problem," Hinojosa said.

F-Secure's Hyppönen said that another factor causing problems is when brand new computers are introduced to the network.

"People buy a new computer that has Windows pre-installed but does not have the most recent patches, so they plug it in and it gets infected. We still see the MSBlast worm popping up, even though it was found last August," Hyppönen said.