A fast-spreading worm named Sasser hit the computer world last week — focusing more attention on MS04-011, a bug-ridden Microsoft security patch that was designed to halt such threats.
I wrote in the Apr. 22 issue of the paid version of Brian’s Buzz that MS04-011 (KB 835732), released on Apr. 13, had significant compatibility problems that I’d been able to confirm independently of Microsoft.
These issues were serious enough that I said at that time, “I recommend that you examine the workarounds in the Vulnerability Details section of the MS04-011 bulletin to see if they would be sufficient to protect your particular hardware/software configuration without installation of the update itself.”
The workarounds described in MS04-011 to shut the security hole that Sasser exploits, a flaw in the Local Security Authority Subsystem Service (LSASS), do in fact prevent you from being infected by Sasser. One workaround in particular that Microsoft describes — turn on a firewall — is something that all PC users should already have in place, and that most corporate networks had long ago.
Despite that fact, Sasser hit some companies hard. Because of PCs that were snared by the worm, British Airways had to make flight-plan charts by hand for 20 flights on Tuesday, for example, and one-third of Taiwan’s post office branches were infected, according to an Associated Press article. More info.
Simple steps would have repulsed Sasser
Eric Schultze, the chief security architect for patch-management firm Shavlik Technologies in White Bear Lake, Minn., explains that Sasser is primarily interested in spreading itself. “It’ll first exploit your system through File & Print Sharing. Once it gets in, it starts opening up other ports to help it propagate to other systems.” Schultze says any of the following would have prevented PCs from being infected with Sasser: