Monday, April 26, 2010

Some Large Website Please Do This Study

There was an Internet-scale blackout last week. No, it wasn't caused by a worm, but instead a buggy virus signature in McAfee products that disabled svchost.exe in WinXP SP3. The effect was the same as a worm; hundreds of thousands, if not millions, of machines were affected.

We don't yet know the scale of this event, but there is an easy way to find out: User-Agent strings at popular websites. There should be a dip in WinXP systems accessing websites compared to other systems (because disabling svchost.exe crashes the system, and it cannot be rebooted until the file is restored through a complicated manual process). Popular websites can measure that dip in order to figure out how many systems were affected by the buggy virus signature.

The popular web-browsers (IE, Firefox, Safari, Firefox) put the operating system version in the User-Agent string. This is always “Windows NT 5.1” for WinXP. The previous version, Windows 2000 is “Windows NT 5.0”, and the following version, Windows Vista, is “Windows NT 6.0”.

Huge websites like Google log the User-Agent strings. They can easily create a report of the relative popularity of WinXP for each day. The relative number of WinXP machines will drop. A large enough website should be able to figure out precisely how big that drop was, and therefore, a good estimate of the number of machines affected by the bug.

McAfee originally claimed that the bug was minor, and only affecting less than 1% of their enterprise customers. They had to latter amend this, and admit that more were affected, but they still downplayed the severity of the bug.

I don't believe them. The bug disabled ALL machines running WinXP SP3, which is by far the most popular operating system in enterprises. Even if an enterprise has mostly transitioned to something like Windows 7, they will still have a lot of machines running WinXP SP3. I would guess that virtually all large enterprise customers of McAfee were affected to at least some extent, and that many were completely disabled for the day.

An independent study can confirm my suspicion. Please, if anybody works for a large web-site, please do this study. Or, if you don't have the resources, I'll come in an do it (I'll sign all appropriate NDAs and such). I really want to know the answer.

1 comment:

Steve McChortle said...

Where do you want replies sent?