Hospital ignores Sysadmins, disables Windows Update, pays the Price

Computer malware Conficker otherwise known as DownadUp is creating havoc across the Internet, but especially at Sheffield Teaching Hospitals. The malware exploits the MS08-067 vulnerability patched by Microsoft last October. MS08-067 fixes vulnerability in the Server service that could allow remote code execution via a specially crafted RPC request. This vulnerability is particularly nasty because worms are quickly spreading over network shares. Security personnel have noted the worm infected more than nine million victims, based on an analysis of infected machines attempting to contact a changing network. Microsoft listed this vulnerability as critical and released the patch last October. The patch was made available through Windows Update. Unfortunately, sysadmins are disabling Windows Update and helping build the largest botnet on record. Based on vulnerability scans of several hundred thousand Windows computers, security vendor Qualys said about 30 per cent of computers are yet to apply the patch.

Disabling Windows Update was the choice Sheffield Teaching Hospital made. More than 800 computers have been infected with self-replicating Conficker code, and non-urgent appointments in the medical imaging department had to be cancelled. A spokeswoman said no other direct impact on patient care was known. The decision to disable automatic security updates was taken during Christmas week after computers in an operating room rebooted during surgery. The IT Change Advisory Board decided to prevent further disruption to patient care by disabling Windows Update across the entire network instead of areas where reboots could cause a problem. Conficker was detected on December 29, and they have been battling it every since.

One source close had this to say: “Don’t you just hate it when your boss is so computer illiterate yet has the power to veto the simplest of ideas to catastrophic end?”

Even if the boss is computer illiterate, the security policy at the hospital should have been enforced. Until late December, Sheffield Teaching Hospitals had a policy in place that would apply security updates across its network a few weeks after the patch release, and enforce a reboot.

In response to widespread attacks , computer illiterate bosses, and employees who ignore security policies, Microsoft has added routines to clean up Conficker infections to the January edition of its Malicious Software Removal Tool. But, you will only get it if you allow Windows Updates. :)