Slashdot Mirror
Slammer Worm Slams Microsofts Own
MondoMor writes "Microsoft's forgot to patch some of its own servers to protect it from the months-old vulnerability exploited by the Slammer Worm, reports C|Net. Oops. Apparently Redmond's network was hit pretty hard. Just goes to show that no matter who you are, you'd better keep your apps patched." Update: 01/29 01:59 GMT by T : And if you're running systems which might be affected, take note: whitehorse writes "The Microsoft KB article for the Slammer patch found here has an incorrect URL for 'Download the patch' referring to KB Q316333 which is only a handle leak fix. The real patch may be found later in the article."
damn
i would've beat you if MS SQL wasn't slowing me down
And I just thought the whole internet had been slashdotted! Who would have even imagined another design flaw in an MS product.
At my office, we weren't vunerable because we /didn't/ upgrade. We were still running SQL 7.. Just goes to show you...
I am so happy Microsoft got a taste of the problems that their own buggy software has...I wonder how many times this will have to happen to them until they get the picture.
"That vulnerability is completely theor...oh shit!"
Relying on a vendors automatic update feature is no substitute for solid system administration.
Oh the irony in this. Microsoft always insists you update your patches, but for some reason they don't. O well this could be a good thing for network administrators as at the end it stated they were going to work on a new way to install patches.. Or thats what it looked like they said to me.
I'm glad to say that my servers were unaffected. Slapper does not affect AS/400 nor Linux.
"History doesn't repeat itself, but it does rhyme." Mark Twain
How can they expect customers to download and apply patches every other day when they can't seem to patch their own stuff in six months?
...says that patch management in Microsoft operating systems gets 100% better in 1 year :P
Don't believe anything I say. I crash test crack pipes for a living.
At my company our corporate email was down for a day, our phone systems didn't work, and the dns servers were up and down.
Just goes to show that no matter who you are, you shouldn't use MS SQL.
but hey, to each their own...
As one of the articles I read on the issue stated, it really does show that their policy of blaming the users for not patching their systems perhaps isn't the best approach to take. It is in fact blaming the victim for the software's flaws. Maybe this will turn microsoft more towards making sure their products are more secure from the start if this info gets around enough. Yes, I know Billg's "Trusted Computing" plan is rather new, but they sure seem to get caught with their pants down often.
today is spelling optional day.
It kind of makes you wish someone gets fired over this. Not just forgetting to patch the servers at MS, but all of the servers that choked the internet to a crawl. But I wouldn't wish that on anyone right now. Talk about a tough job market.
Perhaps a new Mod for this article:
Score:-5,Surprising
It's not like Microsoft has been all that great about protecting their own servers in the past...
Was this one classified as 'critical' a few months back when they made the patch?
Or was it one of their.."nah, this will never...oh boy.." Patches?
Larry Ellison is cackling like a little girl........
(found on another forum) 01/25/2003 1:04:37 PM
"MSN was total messed up, I couldn't even log on to the net last night it said that my user name and passworded was invalid so I call them up and the tech guy says wow that's weird I can't ether."
-- Boycott Shell
If even Microsoft, who has so much money they have to start paying a dividend just to get rid of some, can't seem to hire enough people to keep up with all their God damned patches, how do they expect companies that are slashing their IT staff/budgets in this shit-sandwich economy to do so?
Very telling indeed.
The article I read (on yahoo) states the unpatched servers were all on the internal network, not the internet, and that they were in use by researchers within microsoft.
Let's not jump too quickly on the bash microsoft bandwagon for that. (Of course, if they just did enough testing and didn't release buggy, vulnerable software in the first place...)
Who the hell has their SQL server in the public side of their firewall? These things shouldn't be directly accessable to any worm.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This story has a delicious sense of irony. I give it an enthusiastic "2 Thumbs Up."
This story supposes that Microsoft should somehow be a paragon of network infrastructure. It's clear from past events that MS is among the lamer of companies when it comes to infrastructure/security. Take, for example, the time DNS for just about the entire collection of MS domains, such as msdn.com and microsoft.com, were completely disabled by an attacker. They had all four of their nameservers on the same subnet, and all running Microsoft DNS software. An easy target to say the least. Calling this sophomoric is being kind. It didn't take them long to fix it, and I believe that now they contract out their DNS to get maximum diversity (and they even utilize Unix nameservers!).
I fully expect to see more entertaining stories like this for a long time to come.
Windows just isn't as secureable as unix's ... this just goes to show that. MS HAD THE SOURCE, and weren't able to secure themselves against this.
While it's probably true that Windows is not as secureable as unix, this is in fact no indication of that at all. The fact is there was a patch that fixed the problem and thus this problem IS secureable. It's not that they weren't ABLE to secure themselves, they just had people who DIDN'T.
What's really ironic is that this I'm finally reading this story after half an hour of unsuccessfully trying to access /..
/. just get slashdotted?
What just happened? Did
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
It's propaganda spin, every time there's a major MS exploit they get it too. Phuuuu leeeezzz.
In reality, admins running enterprise systems must remember to check what the patch fixes and weigh it against known issues it may cause. In Microsoft's case, their admins would be sure to know the service release is out. My guess is compatability testing indicated they should wait for a future patch, or until they changed something in their setup that would make any problems from the patch a non-issue.
www.atacomm.com - The Leader in VoIP Product Distributi
How many times have you, on a Win2k server clicked the check box labeled "Remind me in four hours" and waited for the next shift to patch the box?
Oh joy, the pleasures of having an automated "Patch-me-now" daemon.
Lazy admin, none the less.
"We can't fix this and you'll have to wait because iptraf is just oh-so-hard to use!"
Oh, right. They don't have that on Windows, do they?
I'd rather be reimbursed in cash than have him even come near me. Really, would you enjoy him on you? Secondly, just how does one make a funny comment on this thread when the story itself contains the greatest humor?
i think you mean Slawbot.
Story also here[cnn.com] on CNN.
Well, the door was open...
Windows just isn't as secureable as unix's ... this just goes to show that.
Oh, yes, of course! The Internet could never be effectively shut down for days by a UNIX-based worm!
I wonder how long it will be before companies that are hit hard by this will start terminating those responsible. Now, obviously part of the blame goes to the one responsible for the infected machine, and part of the blame goes to the software maker (Microsoft in this instance).
This, like most other large-scale worm or virus infections, was completely preventable. So many machines are infected due to 1) lazy admins, 2) admins who are asked to do too much and didn't have time to patch all systems regularly (possibly because of staff cuts), and 3) Complete idiots who don't know any better and shouldn't have their job in the first place.
This particular worm largely ignored home and personal computers, due to the product it infects. However, I think a lot of companies sit back and say, "Well, I sure am glad that we have Tom to get this all fixed for us... without him, what would we do?"
That is the problem. Those in charge need to understand that it is both Microsoft's and the admins fault for things like this to occur. It rarely "just happens" and most large-scale attacks were preventable by a month, or even a year before the vulnerarability was exploited.
Eventually, I hope this leads to a shakeout of all the poor admins, or the managers who place too much workload on their admins so that they do not have time to do it right.
If you had nuts on your chin, would they be chin nuts?
I have just one word to say *cough* PostgreSQL *cough*. Too bad Microsoft employees aren't allowed to use the right tool for the purpose and are instead forced to eat their own dog food. That policy sounds exactly like the no commercial software at all policies that some governments are contemplating.
Man, that's just funny...
Not following sensible IT management practices.
On Monday, I was talking with an friend who works in IT for a major insurance company:
"Were you affected by the SQL worm?"
"No. Blocked a lot of traffic at the firewall, that's all."
The hidden costs of owning a Microsoft product.
A patch a day, virus protection, outages, blue screens of death, an army of softies running around, licensing, forced upgrades, that will get you back to square one, as far as security is concerned. No end to the money you will bleed for the enjoyment of having a notepad.
Go IBM and grid - the most bang for the buck, no hidden costs, and no security nightmares avery night.
God knows why, but our company had an NT box running MS-SQL outside the Unix firewall.
It got nailed and then apparently had privileges to come in and nail the rest...
Took us out for 12 hours. We are talking significant production loss here. I'm just thanking
my luck stars that I have nothing to do with our NT setup.
I snicker and do my little dance quietly in my cube.
With the exploits going around recently I've realized a couple of things when it comes to security.
First and foremost is secure code. Right now, almost everyone and their grandmother has a firewall. They do a good job of protecting ports a user can't shutdown totally (some NetBIOS ports) and protecting insecure applications a user or organization wants to run internally but doesn't want the world to access (NFS, NIS, etc). The majority of these exploits target applications that firewalls will usually let past such as HTTP, FTP and e-mail.
Frankly I'm not sure how coders should go about writing secure applications, but it needs to be done. Perhaps at large organizations there should be a dedicated person or term in charge of verifying code is clear of buffer overflows and other nasties. Either way, the code itself needs to be secure or because a firewall won't do a thing. Without it even the most secure configurations will continue to be cracked.
Second is firewall configuration. Many firewall administrators tend to forget about outbund packets. Obviously there are some they need to let out (HTTP, FTP) but when it comes to things like SQL and outbound portmap, there's really no reason. Depending on the organizations needs they can more than likely block all outgoing UDP. By doing this they can help slow the spread of worms (such as this one) and reduce liability when it comes to crackers using their systems as a point to attack other systems.
Firewalls that block incoming packets just don't cut it, and never have. We need to have secure code and need to block unnecessary outbound packets as well.
Wrong conclusion. It means they bought cheap dime-a-dozen MCSEs, not dedicated administrators that know and care about what they are doing. Sure the latter cost a little more, but it's worth it.
I have a funny feeling companies are going to start using mySQL and hire a more competent admin with the money saved.
Was the Slapper worm developed by a disgruntled Microsoft employee, and unleashed from within Microsoft?
Unless there is something I don't understand about this worm, my questions is where are the firewalls. There are VERY few reasons to have an SQL database server open and available to users on the internet. The Code Red worm operated on port 80 and so firewalls were not as much anissue, but the ports that the SQL server uses should not even be available directly to outside parties from the internet.
Any company that was effected by this, chances are the first breakdown in security wasn't patching, but in your firewall rule set.
From the article:
"Publicly, they are saying it's not our fault, because you should have patched. But Microsoft's own actions show that you can't reasonably expect people to be able to keep up with patches."
What he really means is that you need a better patch system. SQL server patches, and many others, are not covered by Windows Update.
Why not?
I just love these lines:
"Seems like every time I install a system patch, something else goes wrong with my system," said Frank Beier, president of Web design firm Dynamic Webs. The designer said many system administrators won't patch for many months, because they don't trust Microsoft to fix the problem without breaking some other function of the software.
"In most cases, I'm better off just playing Russian roulette with the hackers until our servers are broken into," he said.
another place where Unices have MS beat?
Yep.
I love the way the article makes security + patching seem such a burden on system administrators. It's one of the main functions of a sysadmin's job. Any sysadmin who thinks security patches are optional, regardless of how shitty your OS's package management + patch integration is, deserves to have their network taken down and their ass fired.
Though I do get a kick out of thinking of the nightmare the Windows admins have keeping up to date with patches, whereas a few hundred lines of perl, and I have my own automated patching system, and RPM keeps track of it ( no rpm vs. deb flames, thank you ).
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
n/t
....of an horrific accident in Redmond, WA, in which the ever popular and much loved Slammer worm has become infected by a particularly pernicious dose of Windosis. A round-the-clock vigil has been in progress since Saturday, and the nations top experts have been called in to try to save Slammer. "17'5 700 34rLy 700 54y 1f w3 c4n 54v3 h1m" said pUrPle_rONniE, a pasty looking spokeman for the uninstall SWAT team. "w3 0wnz y00". This is only the 200,502,738th reported case of Windosis since 1982. The Department of Justice have yet to seal off the area to prevent further contamination.
Modest doubt is called the beacon of the wise. - William Shakespeare
With shared source their policy was "your code is our code and my code is my code".
With patches, seems to be "do what I say and not what I do"
Maybe they were using a pirated copy of XP and they couldn't upgrade :)
Now wouldn't that be ironic???
I hereby moderate you -1 clueless
Clearly Microsoft has a serious problem communicating the need to apply certain patches.
... a company serious about security would have a consistent and documented way for finding the version information of their software.
Of course, it's the customers fault.
When the original story came out I couldn't count the number of posts pointing out that the patch was released a while ago for this problem while totally discounting the fact that most of the world fell prey to it.
Redhat, for instance, boldly displays all the security problems AND patches on a single page for its products.
Want to find a list of needed patches for a Microsoft product? Hope you have a few days for searching the endless volumes of technet or msdn-- hope you find everything.
Want to know the patch level for your Microsoft software? Have fun, it's randomly displayed somewhere in the product... maybe in the about box... maybe just a file version
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
My rejected submission -- more details, but a bit long. The big news in my mind was not the microsoft bit--it was that ATM machines were unavilable because of the worm.
;-) )
~~~
The worm that slowed the internet to a crawl over the weekend apparently did more damage than most originally believed. On Monday, many companies were still struggling to clean up. Financial companies and airlines seemed to be hit most acutely. Many web sites that manage payments and check loans were inaccessible. Inexplicably--and really inexcusably--some ATMS were also unavailable. Investigators are also struggling to pinpoint the worms starting point, but are having little success because it took off so fast.
Apparently similar code was released by David Litchfield of NGS Software Inc a few months ago. Virus "author," "Lion" credited Litchfield's code.
The Washington Post has an AP story up as well as this, which is older but has some additional details. The kicker to all this--the worm hit one year after Microsoft launched its "Trustworthy Computing." That and even some of Microsoft's own computers were hit (NYT Reg. Req.).
(Yep, still bitter
So close and yet so far from the world's perfect ID number
Considering the lack of integrety and the willingness of MS to be illegal, I wish that they would do something interesting for once.
They could easily release a worm that patches all the old openings. They could even have to handle their own boxes considering that their admins seem to be incapable of staying up with patches as well. It could be released overseas so that it was undectable or they could simply pay the current admin to look the other way again.
I prefer the "u" in honour as it seems to be missing these days.
it would appear that the worm has brought down M$ Winbblows update site :-) :-)
http://www.DaveNet.biz/
"Yes, I know Billg's "Trusted Computing" plan is rather new, but they sure seem to get caught with their pants down often."
Uhhh! Now there's some visual imagery I didn't need.
I agree, I am sure MS had policies in place to keep all public-facing servers fairly up2date. One thing that I found to be true is when the article mentioned that alot of the developers internally had installed SQL or MSDE on their workstations. I know that when our comapny got Code Red / Nimda, it was the developers workstations with IIS that were propagating it to the rest of the network.
Just goes to show that people who are paid to be technically apt can be just as much of a crutch and regular users.
Ha ha
Well, that is already one reason to push software companies have to make patches for security vulnerabilities - and make them in time: the security of their own network. They need the patches themselves too.
The longer it takes Microsoft to produce security patches, the longer they are vulnerable themselves. Kinda sweet justice...
(Yes I know there are patches for _this_ vulnerability, but it clearly shows Microsoft itself can get bitten by their own bugs)
"Provided by the management for your protection."
Just goes to show that no matter who you are, you'd better keep your apps patched.
No, it shows rather that no matter who you are, you should not use Microsoft's server and database solutions.
Sigged!
Ive been hearing a lot of this and thats and I was hoping to get the straight dope.
Ive read that the patch before this thing went big was a bitch. Basically it was a lot of manual this and that updating and rebooting. Basically this meant a lot of people couldnt get aproval from management to patch the server.
Some have said they applied the patch and still were vunerable.
Some have said the patch fucked their server.
Also, I think I read that the cumulitive SQL server patch that was supposed to be out a long time ago finally came out as soon as this worm hit.
Since I do NOTHING with Sql servers, I dont keep up on this. But I do have to answer to security questions and general FUD so, for those in the know -- whats true and whats not?
The ultimate network admin tool needs HELP!
Old women cackle.
Little girls giggle.
Which image are you going for?
"As God is my witness, I thought turkeys could fly." A. Carlson
The real issue here is... M$ is known for buggy code. Now this results in them founding several update apps, like unto windows update, where one can get the patches, as the bugs are fixed. Buggy code, sadly, is a part of life... They just make more than the average development group. Further more, the root of why a virus like this can cause such devistation is that... A: they are -slow- in getting patches out, often there is an exploit already in widespread use (by script kiddies mostly) before a patch is out. And B: Lazy admins, who dont care to be updateing thier crap every time they turn arround. So... what you effectively get... is a patching system, for a higher level of bugs... that is -way- to slow to be affective at stopping outbreaks. Its like a caccine that works, just... to slow to save the patient before the virus kills him.
Microft
-Beware of he who would deny you access to information, for in his heart, he dreams himself your master.
An default installation of MS SQL Server 2000 does this.
.NET to do:
How do I get it where I can still connect via localhost, but ignore anything external to my machine?
Will it still work in
"Server=MYPC;Database=testdb;User ID=myuserid;Password=mypassword"
and still connect. I can not use trusted_connections, so I have to explicitly use user id and password.
In the immortal words of Nelson from the Simpsons, I repeat. Ha Ha.
M$ has never had good admins, probably never will. Just like they can't be bothered testing their software. Why when they have a few million people they have suckered into paying THEM to be their beta testers.
I work for a major bank, and the only work we tried to do yesterday was check out these patches to make sure they were safe to install on our servers. Mind you, YESTERDAY, not 6 months ago. Guess what, no luck getting them to work on our NT boxen. Waiting now on a "custom" patch from M$, which they will have a hard time getting to us if their network is in the same state as ours right now.
The whole network was down yesterday. Completely. Still mostly out today. I think M$, and these so-called admins all need to have their MCSEs shoved up their *sses.
Well..sort of. SQL Server 2000 SP3, which fixes this problem, comes in a self-extracting exe which asks you for the target directory. You then go to that target directory and run setup.bat: The installer automatically shuts down SQL Server for the initial part, installs the patches (you copy over absolutely no dlls or binaries), restarts SQL Server for the final part where it then runs the update SQL scripts. It really is a trivial process. As far as backing up your data you should be doing that regularly anyways. This process is the same for MSDE installations.
I don't know where this myth of hyper-complex SQL Server updates came from. Admittingly it is a bit more complex if you have multiple instances, but generally that goes along with more advanced administrators anyways.
This was a lot funnier knowing that it was a reply to a 'first post' post (which seems to have disappeared now). :)
I guess next time I'll remember to quote the post I'm replying to.
Does anyone know about a webpage that is collecting the admin flaws Microsoft did with their own products?
:)
The DNS problematic some years ago came to my mind.
Code Red/Nimda is another one.
SQL Slammer know.
Or better: Is there any page, that lists vendors which can not properly install their own products on the web?
Else we should create one
As an aside, the instructions are in a readme.rtf file, even though they are actually just plain unformatted ASCII text pasted into Word. Who in their right minds would have Office 2000 installed on their SQL server? Or is this supposed to be standard practice? Gee, I guess should also look into putting OpenOffice on my Linux firewall.
Here are some quotes from Microsoft's instructions.
OK, but there is also a Microsoft SQL Server\80\Tools\Binn\ directory. What about this one?
ssnetlib.dll "files"? Why plural? I only found one in the path they seem to reference, but actually there was another one in Microsoft SQL Server\80\Tools\Binn\. However there was no ssnetlib.pdb in the main path nor was there even a directory Microsoft SQL Server\80\Tools\Binn\dll.
Again, how can there be ssnetlib.dll "files"? What are they talking about? Also, earlier the (non-existent) ssnetlib.pdb file was supposed to be backed up from the Dll folder, now we put the new one into the Exe folder?
OK, so I unleash Slammer on my network to make sure the problem is fixed? (And how would you test it before Slammer was officially released?)
(NB: some of the above may not be completely accurate, being based on old scribbly notes jotted down in the midst of confusion. However the quotes are direct from readme.rtf.)
I know, I know... there are going to be tons of posts lambasting admins for not updating their boxes. Sometimes the cure is worse than the disease. Hell, last week a live update caused a catastrophic failure to the email systems. The IS boys were not lazy, did what they should, and lost 36 hours of their lives rebuilding the boxes from tape because of a bad patch.
Patches that fix something specific are fine. Patches that add new features or change API behavior can really make a mess. I've seen plenty of kit that requires xx service pack and the latest yy version breaks it.
As a side note, make sure you get the patch if you are running the MSDE on any of your boxes.... Same problem as SQL server - way to many vendors will fold that one into a dev version of a product. I know I almost found out the hard way...
+++ UGUCAUCGUAUUUCU
Agile Business: 1. Organization quick enough to apply Microsoft security patches before virii and worms attack.
There are quite a few "porous" holes that get into Microsofts internal networks. None of them are direct and without something like this worm that uses their own software, none are likely to allow much in.
I've worked in some of the Microsoft data centers and done design work... I know how hard they (just like many of my other non-microsoft customer) try to keep people "out" of these networks. But I've seen development projects go on the "soft" network and then get forgotten about. Its machines like these that probably provided the bridge back into MS.
It happens. Regardless of the company. Just some get more publicity than others. You think BofA didn't have firewalls? And yet they went offline for what... half a day or more?
... You'd be better off moving to Linux on your critical enterprise servers.
;)
I don't think MySQL is susceptible to this worm...
---
If God had wanted you to go around nude, He would have given you bigger hands.
Patching looks like this:
...
SQL 7
SQL 7 + patch
SQL 7 + patch + patch
SQL 7 + patch + patch + patch
SQL 8
SQL 8 + patch
SQL 8 + patch + patch
Microsoft always seems to box the wrong product. Microsoft should sell "SQL 7 + patch + patch + patch" as a boxed product, and release patches to jump to unpatched SQL 8 if people desire.
They're rebuilding the users. At least, that's what zoo says. Try viewing your friends - that's how I got the news.
Keep your packets off my GNU/Girlfriend!
You run that on a redundant system that you move to live after it has been testes right?
thank God the internet isn't a human right.
I'm not talking about Service Packs... but hotfixes, like the one for MS02-056. Of course, they provide an additional tool to help automate the install process of hotfixes (here) that make it a bit easier. But before that was available, take a look at the previous cumulative patches for SQL Server 2000 and read the readme file for the install process. Not as easy as installing a Service Pack, no?
Well this episode shows that you can drag the camel to the well but you can't make them drink the water.
Now Microsoft is in an awkward position. They claim its not their fault: admins should have noticed the original security advisory and patched their machines. But how do they expect 3rd parties to keep up and pay attention when their own internal resources don't?
For a full time system admin that is paid to do nothing but maintain the servers following the advisory and patching escapades is their job. However a developer working on a piece of software that requires MS-SQL Server doesn't have the time nor the energy to. Reading the patch it sounds like it isn't exactly a "click-and-go" process and is a little scary. To a developer I'm not so sure its short sightedness. I spend a lot of time working on product, not following security advisories nor do I spend a lot of time applying complex or risky patches. To a developer the risk of having an unpatched, internal usage machine is much much much less than breaking the environment and screwing up your work schedule.
Harping on admins that got caught is one thing. Harping on developers to follow and apply every patch is futile. So futile that not even Microsoft themselves internally would try.
http://www.pcmag.com/article2/0,4149,848930,00.asp
off topic, but on WAMU FM 88.5 in Washington, DC, there is an interview with Kevin Mitnick. You can listen live.
... about the patch model of updates being an unviable solution. I see two logical outcomes from this: in the perfect world, this would be seen as a call to do more extensive testing (including hiring your own personal crackers & skr1pt k1dd13s to try to break your products several months before release). However, what this will probably mean is that there'll be a push for continuous automagic updates. Quite frankly, I find that latter option... frightening to say the least. Let MS (or any other company for that matter) updload patches willy nilly to my system (patches which have traditionally, in MS's case broken as many things as they've fixed)? I don't think so, especially if they're going to pull their license switch tricks again.
I'm more curious as to why this worm is as much of a problem as it appears to be. Surely a properly designed firewall would have stopped this thing? If so, why wasn't it done? Are sysadmins really that overworked / busy with more important problems / lazy / inept? Or am I missing a bigger problem here?
How the hell do you think the worm got into the internal network?
They release fixes that people have been so conditioned to avoid that they even do so themselves. It hardly seems to be a fix if nobody will touch it with a ten foot pole.
No one's laid blame on it, but I think that the real way to get rid of these worms is to transition the net to IPv6. Slammer, Code Red, Code Red 2... all of them work by brute-force IP scanning. That only works because the IPv4 addres space is so densely populated; with IPv6, a worm would never be able to spread itself that way because the odds against a random hit are astronomical. I'm not saying that this should be a substitute for keeping servers up to date, but all the patching in the world doesn't help when the problem is that some faraway node is crushed under the traffic created by a worm, and IPv6 is good for many other reasons as well.
Running off MS datacenters, Massive Multiplayer Online Game Asheron's Call 2 has also been more or less dead since Friday. Fun stuff include corrupted characters (lost items, lost experience/levels) and outright unplayable server performance. Heck, their own customer rep recommended players not to log on for now... oh, and the AC2 customer support people couldn't access the game either, so the players experiencing the problems couldn't reach ingame support as there was none...
Needless to say, their *cough* paying customers have been less than thrilled.
It should read "Slammer Worm Owns Microsoft" not "Slammer Worm Slams Microsofts Own".
;) Still, there is some reporting I usually provide our team but my data source is still pooched.
I'm saying that from behind Microsoft's firewall - I should know.
It sure was a giggle on Monday seeing all the warning letters taped on every door and elevator in the building.
Most ops stuff seems up now - as up as they ever are
Oh well... I can still browse slashdot.
I figure this post is blatant karma whoring, but if it helps some geek out there smile...
**Microsoft Confidential - Do not forward**
All Computers Running SQL Server 2000 and
MSDE Required to Load SQL Server 2000 Service Pack 3
say no more!
. This sig unintentionally left blank. I meant to put something here, but I'm busy.
Wouldn't it be nice if all Microsoft's stupid mistakes came back to bite them like this? Perhaps that would inspire them to make better software.
Why was slammer/sapphire not mentioned on slashdot before this? It seems that this was a big enough worm, and I'd not have even heard about it except that the host for my web application was down for 2 days cause their patch attempt failed and a friend pointed me to CNN Monday morning.
I looked at Saturday and Sunday's stories to find any mention of this but just see this story about how MS didn't patch their stuff and we are all laughing at it.
This saddens me.
somebody had to open a readme.txt. Good for you, you'll go far.
> Just goes to show that no matter who you are, you'd better keep your apps patched.
or not bother with the-pile-of-poo (with appologies to piles of poo, everywhere) in the first place.
D'oh!
Zero defects is not an attainable goal; it's too expensive and no one wants to pay for it.
This article shows just what happens when you expect zero defects in the infrastructure of a large organization like Microsoft Corporation. It's not going to happen. And before someone says I'm Microsoft-bashing, I will say that this is true for the vast majority of corporations, universities, foundations, and governments. That would include Sun, IBM, Red Hat, even the *BSD folks and LKML participants.
There is a damn good reason we won't see zero defects: employees are not measured by it. Their survival, pay raises, and promotions are based not on the number of defects they don't have, but on their contribution to the "bottom line." If you preach zero defects as Job One, then prove it by firing the people who generate defects, without exception -- including the CEO, COO, CFO, CIO, and other top brass, when they screw up.
So now that the myth of zero defects has been exposed for what it is, what do we do about it?
System administrators are going to have to re-think their perimeter access controls. This may require router upgrades to add processing power to support additional filtering.
Sysadmins who have been running "mostly-open" filter configurations may want to consider moving to a "mostly-closed" configuration: deny everything except services that have been cleared for use. Don't allow arbitrary connections. Many unknowing MS SQL servers were protected from participating in this little exercise because the firewall upstream of the desktop system wasn't allowing connections to get through, even if the desktop system had a globally-routed Internet address.
Computer mail order houses and computer stores should consider carefully whether they should bundle appropriate software firewall products with the computers they sell. Software configured to require the user to say "Yes, I want to make SQL server available for public access!" before 1433 and 1434 would be open.
We need to ask the reporters and editors of mainstream publications to be more responsible when reporting problems like Sapphire/SQL. The facts were pretty well known, and available to those who tried hard enough to get them even at the height of the packet storm, so that reporters could make their deadlines and get the facts straight. [Names of the guilty withheld, at least for now -- they know who they are.]
Tier 1 and Tier 2 bandwidth providers need to consider modifications to their Acceptable Use Policies to require some basic filtering of packets in both directions. These AUP changes have been discussed before; perhaps now is the time for them to go into effect:
Update the Best Practices RFCs to incorporate some or all of these suggestions, so that Internet operators around the world can participate in solving the problem.
(N.B.: I want to point out that many USA-based cable operators are contributing to the problem by disallowing the use of NAT and VPN technologies in their apparent [alledged] quest to limit the broadband "Internet service product" to browsing and downloading files. I believe that such an attitude contributed to the problem, not the solution. I understand well the technical and business motivations for this, but I also believe that there are (U.S.) national security implications against such a policy. THINK!)
Are any of these ideas new? NO. The only new idea is to have the Lords Of The Internet use their influence over their customers to implement them more widely.
Good fences make good neighbors. The Internet is a neighborhood.
Does the cost of lost GLOBAL productivity (lost internet access in the workplace) and lost commerce (the ATMs going down) of this shizzah get get added to the total cost of ownership of MS products?
http://pcblues.com - Digits and Wood
Everyone had clue to understood why GNU/Linux guy expensive than that MCSE guy.
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
SP3 just came out Jan 17th, 2003. Hotfixes are, as the other guy noted, a major pain. Manually installing the dlls and keeping your fingers crossed. I know this because I recently had to use a hotfix on our production software because SP2 introduced a bug that caused SQLServer to Crash during certain replication scenarios. I was anxiously awaiting SP3 so that I could get the hotfix off our customer's machine and I didn't even know it was out until the notice that it was the fix. I also spent half of December on the phone with SQL Server support and I asked at the time what I needed to make it secure, etc. I was told that SP2 had no security holes. MS botched this one big time. People are right about service packs breaking other code. Replication is a prime example, it doesn't work the same way in the original release as it does in SP1, nor does it work the same way in SP2...hopefully I don't find out that SP3 changed things too much.
...a lot of unemployed second-rate MS SQL admins should be hitting monster.com soon, if management have any sense whatsoever.
That these morons basically brought the internet to its knees Friday night through gross incompetence should be reason enough to fire every last one of 'em.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Last time I patched a windows machine for an email issue, it also created a problem wherein SQL server could not send emails through its link to outlook (which is retarded anyways, SQL server should have an internal mail engine). The next time a server went down, the "page home" feature didn't work, because it couldn't send a paging email.
All I have to say is, thanks Microsoft!
cd /raid/8.0/updates
r edhat/linux/updates/8.0/en/os/i386/ -o logr edhat/linux/updates/8.0/en/os/i686/ -a log
/raid/8.0/updates/*.rpm | grep -v "md5 gpg OK"`
/raid/8.0/updates
wget -nd -nH --mirror --no-parent --passive ftp://ftp.mirror.ac.uk./sites/ftp.redhat.com/pub/
wget -nd -nH --mirror --no-parent --passive ftp://ftp.mirror.ac.uk./sites/ftp.redhat.com/pub/
saved=`grep saved log | grep -v ".listing"`
check=`rpm -K
if [ "$saved" ]
then
mail user1@domain.com user2@domain.com <<EOMAIL
New RedHat 8.0 RPMs downloaded onto `hostname`
Please update them:
$saved
$check
If there are any kernel updates, please run lilo before rebooting
EOMAIL
fi
Run this in the night some time.
When you come in, if you've got an email, run:
cd
rpm --freshen -vah *.i686.rpm
rpm --freshen -vah *.i386.rpm
Hey presto. Job done. And if you use Grub, you don't have to bother about running lilo.
Get your own free personal location tracker
We dont need no stinkin' patches.
Dissmising something because you know its flaws is not bigoted, it's reason. I can reasonably dismiss Microsoft Software from consideration based on their faulty development, distribution and security models. The process is so cumbersome and inferior that they themselves suffer. Why should I expect anyone else to do any better? Due to other problems, ultimately rooted in philisophical issues, I do not expect M$ to get any better any time soon. In fact, I expect things to get worse. Why would I ever trust their software with my data, time and effort? There's nothing M$ does that I can't do with free software, and there's much I can't do with M$ junk that free software does with ease. This is not a biggoted view, it's an application of experience and reason.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
If it is not cost effective for MS, which faces the highest damages from such incidents (think PR), to patch its own software, how can they argue it is cost effective for ANYONE to insure that everything gets patched?
It seems to me if one were to include the costs of patching, insuring everything gets patched, and the expected losses (I assume probality is inherently high in then non-Unix world) from the inevitable missed patch (or, nonexistent patch/late patch), MS TCO would go through the roof. Then again, maybe the entire concept of TCO doesn't matter when the most significant costs can be hidden from ignorant managers who act as the software purchasing agents of the company.
Sdelat' Ameriku velikoy Snova!
No linux vendor does anything like this; it's absolute insanity, and it's half the problem with MS admins (not) patching their software - they know better.
For years I was forced to run an IIS server which was outdated, unpatched, and very vulnerable. I couldn't update it because the service packs would break the software running on it - and the reason was that the service packs, while they fixed the vulnerabilities, also introduced all sorts of new features I did not need or want. So I was reduced to keeping a very watchful eye on it.
The entire infrastructure of Microsoft software distribution method is simply broken, and stupid.
Push the button Max!!!!
We actually had Slammer hit us through our client's network, which was not supposed to have any "extra" computers on it. We cannot install SP3 on that internal "isolated" network because the software that runs on top of it will break. It puts us between a rock and hard place. We have to wait for Honeywell to give us a patch to fix a Microsoft bug. Its like some bizarre bad dream.
10: PRINT "Everything old is new again."
20: GOTO 10
I would verify but the hotfix in question has an auto-extraing exe that as a part of the extraction process first checks if there is a compatible instance of SQL Server. There isn't even a readme with this file I noticed, and my presumption is that the exe automatically installs the hotfix (given that it has the brains to check that there is a compatible version as a first step), though I can't verify that as my instance is already SP3. I'm not saying you're wrong, but I am curious how the hotfix experience is for anyone else who grabbed that file.
Rick Devenuti, the chief information officer for the software giant... "We are not sure how the virus got into our network," Must have been terrorists! ... "It just takes one machine to get going," he said. "At any given point in time, it is hard to be 100 percent patched with any machine. We are working hard to make patch management easier. But 100 percent is a high bar and in this case we are not there."
Oh, it's too hard, that's it. Too bad they don't have a nice system like Debian's stable distro and apt-get upgrade to keep things all patched up. But wait, M$ patches break other software! It must just be impossible to keep them up.
I'm so sorry that I called those poor M$ admins losers. Blaming the user for your shitty software's failures is a Microsoft thing to do.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Nana Nana Boo Boo
Soak You Head in Doo Doo!
Although I respect Bruce Schneier (like he cares), I think it's pretty stupid to be quoted saying "This shows that the notion of patching doesn't work," without providing an alternative solution. I would love not to patch my servers, but perfect software just doesn't exist. What options do I have?
Microsoft incorrectly states in bulletin MS02-061 that SQL Server 7.0 and MSDE 1.0 are also affected by the worm.
While troubleshooting an issue related to the patch w/ MS phone support, the technician told me that 7.0 is not affected and the bulletin was incorrect.
It is entirely possible he was misinformed though.
"The article I read (on yahoo [yahoo.com]) states the unpatched servers were all on the internal network, not the internet, and that they were in use by researchers within microsoft."
Which means the problem isn't with shoddy MS SQL server code, it's with shoddy XP/2003 firewall code.
When that hotfix was originally released, it was as the first poster described it. A royal pain in the ass with find, replacing, renaming and chasing files down in several different directories, then doing a couple more steps. The printed out instructions ran seven pages.
They've since made it easier, and put it in the SP3, but as someone who installed that bastard when it was released last summer, I can verify that people who think installing hotfixes/patches on SQL is just click on the link and hit your forehead on the space bar till it tells you to reboot are lost in some fog.
step two: laugh at those poor sysadmins who got caught with pants down
step three: beer
step four: repeat step three, rinse and repeat.
"You never want a serious crisis to go to waste." - Rahm Emanuel
I can verify that people who think installing hotfixes/patches on SQL is just click on the link and hit your forehead on the space bar till it tells you to reboot are lost in some fog.
I would say that the evidence shows that people who think that it's an automated process now are absolutely correct: It's an entirely automated no-brainer process. Previously hotfixes may have been more complex, however the reality is that there have been very few on SQL Server: It hasn't been a lot to keep up with.
it covers like 4-5 Microsoft products..
Windows, SQL Server, Exchange, IE. Is that all Microsoft produces?
My criticism was about the lack of STANDARDS... I know a standard is hard thing for an apologist to grasp.. Let me try to explain:
In this case, a standard would define a consistent way to verify the version of ALL Microsoft software.... NOT the latest list of products that have burned the company good.
Here's some fun for you.. Walk up to a machine you don't know and tell me the version of ADO on it.
Either way, Microsoft is still hiding behind obscure applications and procedures. Flame all you want, but I can go to the Redhat site... any Linux site... and immeadiately get a clear list of vulnerabilities applicable to a particular version of that distribution.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
. . . but maybe Microsoft thought those particular servers were still running BSD . . .
I'm not tense. I'm just terribly, terribly, alert.
SQL 7 is *not* succeptable to this vulnerability. SQL 7 doesn't use port 1434 for anything. That's new in SQL 2000. However, 7.0 is vulnerable to plenty of other things.
The cisco.netacad.net site was plenty slow.
Or as Nelson in the Simpsons would say:
Ha ha!
Yeah, because bandwidth wouldn't have anything to do with it, shithead.
Is it true that the SQL worm story did not appear on MSN?
So, to keep a few servers going for over a year, they haven't patched them, and are reaping the rewards ;-)
Conversion Rate Optimisation French / English consultant
Which means the problem isn't with shoddy MS SQL server code, it's with shoddy XP/2003 firewall code.
So you're assuming that Microsoft's corporate network relies on their admins checking the "Enable Firewall" box in Windows XP? HAHAHAHAHAHHAHAHAHA!! They should have been using Norton's firewall solution, right?...and forget all the enterprise-level solutions.
Part of that would be because Programmer Bob does some work that requires say SQL server and IIS. He installs/activates them on his desktop machine and goes about his work. Then he moves onto the next project and forgets that he is still running SQL server, and a year later gets hit by a worm...
;)
Of course windows developers have an advantage in this area, since they have to reinstall their OS at regular intervals to stop it playing up. Though maybe XP has fixed that, and they'll be stuffed like those poor linux developers who still have junk installed from 1997...
http://www.ridiculopathy.com/index.php?display=200 30128
Should that be "it's". Well, this is a technical forum and most technical people can't spell for beans, but it is "its".
Anyway, why shouldn't Microsoft get hit so hard? They won't recognize the deficiencies others make them aware of so OF COURSE they won't have any patches or SPs applied to their servers.
Besides, the exploits are published at least a year before the public sees something done with them.
And the media, God bless their hearts. They won't say, "This only affects Microsoft Database Servers." Instead, "It's a See-quell worm which might affect you at home but probably won't. If it does, your best bet is to just shut down your computer."
At my office, we weren't vulnerable because first and foremost, we aren't stupid enough to allow any MS server to be placed onto the Internet in the first place. All MS server must reside strictly on internal network with no routability to/from the public Internet at all on any tcp or udp ports whatsoever. Not even thru firewall.
Actually, Linux was affected by the Slapper worm. I think you meant Slammer, which is a common mistake since they sound so similar...sorry for being such a nazi :P
Relying on a vendors automatic update feature is no substitute for solid system administration.
Especially since one of their subsequent patches, Q317748, released AFTER the first patch that fixed the original vulnerability that slammer employed, undone the fix and made sql server vulnerable again!!!!
Oops. Slapper -> Slammer. My bad.
Bwahahahaha.
(Wipes tear.)
Good thing...(stifles laughter)...that Microsoft sent all their programmers on that...(giggle)...day long security conference. (Heehee)
(Prints story and hands it to boss who insist we should stick with "brand name" software like Microsoft because they make the best.)
Alot of sysadmins were waiting for the SP to be released before even approaching this one, just because the patching process is so complex. They just waited a week too long
Then poof! No more MS SQL crap to deal with.
The Hfnetchk tool is a command-line tool that administrators can use to centrally assess a computer or group of computers for the absence of security patches.
Most Windows monkeys don't know how to operate
a command line.
Although in this case the servers were in fact patched, and but there was "collateral damage" from severe network congestion.
10 2 * * * /usr/bin/emerge rsync /usr/bin/emerge update world
10 3 * * *
Go with Gentoo
"We are not sure how the virus got into our network" said Rick Devenuti, chief information officer for Microsoft.
Duh. I suspect through port 1434, the same way it got into all the other networks.
Would you rather have a system where you have to manually implement every patch, or would you rather have a system where you didn't have any choices which patches were implemented?
.NET and WMP 9 on your computer. The second choice would also automatically sign you on to whatever contrac--er...license agreements that came with the patches.
The first choice would lead to a lot more work. The second choice would have automatically installed
Power is like entropy. It always seeks to increase.
What's this Submit thingy do?
Someone posted that same reply 15 minutes before you did. Way to read!
At least, that's what Shaggy says. And that's where I take my cues in life.
Check the link in this article under the words "Slammer Worm" and you'll find an earlier Slashdot article about this worm, posted on Sunday morning, with the title of "MS SQL Server Worm Wreaking Havoc".
It's easy to blame someone for not having his/her systems patched. But i believe, that the average patch level on Windows Systems is higher than on Unix systems.
Most of the Unix (espescially servers) system just run and don't cause trouble. So nobody thinks of and patches them. A 1000+ days uptime is something to make a sysadmin proud and a security adviser weep.
As many Windopws sysadmins have trouble to debug their system in depth, in the case of problems they try to apply available patches first (second action taken after reboot). So, as Windows systems cause more trouble than Unix servers, they are better patched. Q.E.D.
Just kidding, Martin
Windows 2000 site goes over two years without a reboot
This month is the first time that a Windows 2000 site has appeared in the 50 top sites which have the longest period of time since last reboot. www.byteandswitch.com has been running continuously since November 2000. When we first started graphing web servers uptime in the summer of 2000, many people were skeptical that a Windows machine would ever make the top 50. Perceptions change, and although two years is exceptional, several Windows 2000 sites have run for more than a year without a reboot. In the hosting industry, Microsoft partners Interliant and Divine each have sites that have not been rebooted in over a year, while Microsoft has also run several of its own sites for over a year between reboots.
-- I told you this was news ___
How many Microsoft devs were running IIS on their systems and got hit by Code Red or Nimda. Guess we don't know because it never made the news ;-)
LedgerSMB: Open source Accounting/ERP
You might be right about it not being vulnerable - but I do work for a Microsoft Partner company, and we do have a patch and a hot fix that we are required to apply for SQL 7.0 .
;)
If I get more info I'll post it
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Larry Ellison is cackling like a little girl........
And he hasn't even heard about Slammer yet!
Before I went to work today, I was watching CNN Headlines. They specifically said that Microsoft was affected by the worm, that they had problems, etc, etc. In addition to that, CNN mentioned the inside e-mail that was circulating within Microsoft regarding this problem.
--- d'oh
Jan. 23, 2003
i beMe.asp?lcid=1033&id=155 to subscribe. If you don't wish to hear from us again, you need not do anything. We will not send you another executive email unless you choose to subscribe at the link above.
.NET through an incredibly vigorous design review, threat modeling and security push, and in the coming months we will be releasing other major products that have gone through our Trustworthy Computing security review cycle: Windows Server 2003, the next versions of SQL and Exchange Servers, and Office 11.
2 3security2.asp to help you make your computer systems more secure.
I'm writing to you about an issue of particular importance to those of us who routinely use computers in our work and personal lives - making computing more secure. Before I share my thoughts about this in more detail, I want to give you some context on why I am sending this email.
This is one in an occasional series of emails from Microsoft executives about technology and public-policy issues important to computer users, our industry, and anyone who cares about the future of high technology. If you would like to receive these emails in the future, please go to http://register.microsoft.com/subscription/subscr
******
As we increasingly rely on the Internet to communicate and conduct business, a secure computing platform has never been more important. Along with the vast benefits of increased connectivity, new security risks have emerged on a scale that few in our industry fully anticipated.
As everyone who uses a computer knows, the confidentiality, integrity and availability of data and systems can be compromised in many ways, from hacker attacks to Internet-based worms. These security breaches carry significant costs. Although many companies do not detect or report attacks, the most recent computer crime and security survey performed by the Computer Security Institute and the Federal Bureau of Investigation totaled more than $455 million in quantified financial losses in the United States alone in 2001. Of those surveyed, 74 percent cited their Internet connection as a key point of attack.
As a leader in the computing industry, Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability. This is a long-term effort. As attacks on computer networks become more sophisticated, we must innovate in many areas - such as digital rights management, public key cryptology, multi-site authentication, and enhanced network and PC protection - to enable people to manage their information securely.
A year ago, I challenged Microsoft's 50,000 employees to build a Trustworthy Computing environment for customers so that computing is as reliable as the electricity that powers our homes and businesses today. To meet Microsoft's goal of creating products that combine the best of innovation and predictability, we are focusing on four specific areas: security, privacy, reliability and business integrity. Over the past year, we have made significant progress on all these fronts. In particular, I'd like to report on the advances we've made and the challenges we still face in the security area.
In order to realize the full potential of computers to advance e-commerce, enable new kinds of communication and enhance productivity, security will need to improve dramatically. Based on discussions with customers and our own internal reviews, it was clear that we needed to create a framework that would support the kind of innovation, state-of-the-art processes and cultural shifts necessary to make a fundamental advance in the security of our software products. In the past year we have created new product-design methodologies, coding practices, test procedures, security-incident handling and product-support processes that meet the objectives of this security framework:
SECURE BY DESIGN: In early 2002 we took the unprecedented step of stopping the development work of 8,500 Windows engineers while the company conducted 10 weeks of intensive security training and analyzed the Windows code base. Although engineers receive formal academic training on developing security features, there is very little training available on how to write secure code. Every Windows engineer, plus several thousand engineers in other parts of the company, was given special training covering secure programming, testing techniques and threat modeling. The threat modeling process, rare in the software world, taught program managers, architects and testers to think like attackers. And indeed, fully one-half of all bugs identified during the Windows security push were found during threat analysis.
We have also made important breakthroughs in minimizing the amount of security-related code in products that is vulnerable to attack, and in our ability to test large pieces of code more efficiently. Because testing is both time-consuming and costly, it's important that defects are detected as early as possible in the development cycle. To optimize which tests are run at what points in the design cycle, Microsoft has developed a system that prioritizes the application's given set of tests, based on what changes have been made to the program. The system is able to operate on large programs built from millions of lines of source code, and produce results within a few minutes, when previously it took hours or days.
The scope of our security reviews represents an unprecedented level of effort for software manufacturers, and it's begun to pay off as vulnerabilities are eliminated through offerings like Windows XP Service Pack 1. We also put Visual Studio
Looking ahead, we are working on a new hardware/software architecture for the Windows PC platform (initially codenamed "Palladium"), which will significantly enhance the integrity, privacy and data security of computer systems by eliminating many "weak links." For example, today anyone can look into a graphics card's memory, which is obviously not good if the memory contains a user's banking transactions or other sensitive information. Part of the focus of this initiative is to provide "curtained" memory - pages of memory that are walled off from other applications and even the operating system to prevent surreptitious observation - as well as the ability to provide security along the path from keyboard to monitor. This technology will also attest to the reliability of data, and provide sealed storage, so valuable information can only be accessed by trusted software components.
SECURE BY DEFAULT: In the past, a product feature was typically enabled by default if there was any possibility that a customer might want to use it. Today, we are closely examining when to pre-configure products as "locked down," meaning that the most secure options are the default settings. For example, in the forthcoming Windows Server 2003, services such as Content Indexing Service, Messenger and NetDDE will be turned off by default. In Office XP, macros are turned off by default. VBScript is turned off by default in Office XP SP1. And Internet Explorer frame display is disabled in the "restricted sites" zone, which reduces the opportunity for the frames mechanism in HTML email to be used as an attack vector.
SECURE IN DEPLOYMENT: To help customers deploy and maintain our products securely, we have updated and significantly expanded our security tools in the past year. Consumers and small businesses can stay up to date on security patches by using the automatic update feature of Windows Update. Last year, we introduced Software Update Services (SUS) and the Systems Management Server 2.0 SUS Feature Pack to improve patch management for larger enterprises. We released Microsoft Baseline Security Analyzer, which scans for missing security updates, analyzes configurations for poor or weak security settings, and advises users how to fix the issues found. We have also introduced prescriptive documents for Windows 2000 and Exchange to help ensure that customers can configure and deploy these products more securely. In addition, we are working with a number of major customers to implement smart cards as a way of minimizing the weak link associated with passwords. Microsoft itself now requires smart cards for remote access by employees, and over time we expect that most businesses will go to smart card ID systems.
COMMUNICATIONS: To keep customers better informed about security issues, we made several important changes over the past year. Feedback from customers indicated that our security bulletins, though useful to IT professionals, were too detailed for the typical consumer. Customers also told us they wanted more differentiation on security fixes, so they could quickly decide which ones to prioritize. In response, Microsoft worked with industry professionals to develop a new security bulletin severity rating system, and introduced consumer bulletins. We are also developing an email notification system that will enable customers to subscribe to the particular security bulletins they want.
WHAT'S NEXT
In the past decade, computers and networks have become an integral part of business processes and everyday life. In the Digital Decade we're now embarking on, billions of intelligent devices will be connected to the Internet. This fundamental change will bring great opportunities as well as new, constantly evolving security challenges.
While we've accomplished a lot in the past year, there is still more to do - at Microsoft and across our industry. We invested more than $200 million in 2002 improving Windows security, and significantly more on our security work with other products. In the coming year, we will continue to work with customers, government officials and industry partners to deliver more secure products, and to share our findings and knowledge about security. In the meantime, there are three things customers can do to help: 1) stay up to date on patches, 2) use anti-virus software and keep it up to date with the latest signatures, and 3) use firewalls.
There's much more I'd like to share with you about our security initiatives. If you would like to dig deeper, information and links are available at http://www.microsoft.com/mscorp/execmail/2003/01-
Bill Gates
For information about Microsoft's privacy policies, please go to: http://www.microsoft.com/info/privacy.htm
The sad thing is that they could have used their own SMS product to manage all their servers rev versions.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
What happened with M$ is unacceptable, but what do you think about this scenario...
What if the developers needed to keep a certain version/patch level in order to test for compatibility of their code.
If you're writing a piece of software that is supposed to run with SQL Server 2000 (Gold) and up.. isn't it valid to have several versions of the software for testing purposes? (Including the unpatched versions)
Any ideas...
Why was this port open to the internet in the first place? Shouldn't the database servers be behind the firewalls, and only accept connections from trusted hosts on the outside? the rapid spread of this worm seems to point so serious design problems with the networks at many companys. The Bank of America infection is particularly troubling.
What's worse than that is that Microsoft left some SQL servers out of their firewalls, accessible from the Internet... I mean, damn, how serious can you be about security when you have SQL servers available for the whole world to connect to ?
The beauty of unix is that for 99% of the services you can patch the app and not interrupt OS uptime. That'll never, ever happen with any Microsoft OS.
Seems like every time I install a system patch, something else goes wrong with my system," said Frank Beier, president of Web design firm Dynamic Webs
"In most cases, I'm better off just playing Russian roulette with the hackers until our servers are broken into," he said.
</i>
Change your name before sending out your curriculum vitae.
This is really scary:
"On Saturday, the Microsoft's Windows XP Activation service was down, not because the servers were vulnerable, but because the company's internal network was inundated with junk data, Rick Devenuti, the chief information officer for the software giant, said in an interview Monday."
Microsoft told us that the Activation service would ALWAYS be available. I would have been PISSED if I had to reactivate my XP on Saturday and wasn't able and then wasn't able to use my PC!
I disagree about the difficulty in propagating the worm under IPv6. It might slow it down, but I was online when the worm hit and it was almost instant the way it consumed the backbones. I'd estimate that within 5-10 minutes the worm went from one end of the world to the other.
The scary thought for IPv6 to me is that it might slow down random IP propagation, but that would probably be inconsequential when compared with the increased number of spammers that would find new life and longevity in hiding amongst the exponentionally larger IP space.
Let's take it to a new level...
If a major motor manufacturer created a product line that lost the brakes when the temperature outside was -10 degrees and on an interstate, they would be liable.
If 90% of the population used that product line and people were getting hijacked by their own transportion, there would be hell to pay.
Now suppose that they say, "Hey! We released a recall two months ago? Didn't you take your car in to fix it? We made a post to our service centers, but you never saw it at the place you take your car? If you were running our brake-warming device (aka anti-virus software), you wouldn't have had this problem... if you were on a local road instead of an interstate, you never would have had this happen to you. Please buy more of our products. "
I know its outlandish, but there should be some responsibility here on the part of the vendor. There is economic damage from not patching stuff, but if the patch usually breaks your car, who's left to hold the bag?
Unless you are a mechanic and own a kit-car (aka Linux), you're tied in. That's not good.
T.
This space for rent.
The article states that the attack started friday night inside MS, at like 8 or 9pm I think, wasn't it not until like 1am that it was really humming?? Wouldn't this timeline lead one to believe it could have started kicking inside MS first?
Shouldn't the patch system be able to automate all those messy instructions in the first place?
1. Identify where the application is installed (or have the user specify if there is more than one installation)
2. Designate a backup path or device and automatically make a backup copy of the critical files.
3. Install the patch
4. Provide a method by which the patch can be verified that it was installed correctly
5. Provide an option to "rollback" the patch by restoring the backup files from the designated path or device.
All those operations could be done by the program itself. What kind of programmers do these people have? The patch should have one command: "click here", and then go into an interactive menu.
There are quite a few "porous" holes that get into Microsofts internal networks.
That's how bad Microsoft's security is. Even it's holes are porous!
What's not to be worried about? Everything!
I agree that it could be due to bad admins and bureaucracy. But despite how negative it reflects upon them, could also be a ploy by showing "hey, we are affected just like you" or something similar to soften the punches they will receive from customers. Sound strange yes, but people with power (money or political) do strange things.
It's not that bad really, I think later versions of the patch even included a batch file to copy stuff around for you. Even without it, it only took 10 minutes... I mean really, if somebody can't handle this kind of stuff should they really be an admin?
Some have said they applied the patch and still were vunerable.
Yeah you have to be careful with this stuff, if you apply patches in the wrong order you can sometimesend up with the vulnerable code still there. I know a _really_ good admin that got hit with Code Red because of that. The correct order can sometimes be a bit of a mystery.
Some have said the patch fucked their server.
That's the big problem with this situation. I can understand why people don't have this patch or SP3 installed. You really never know what one of these things is going to do. It is common for amins to schedule a 3 hour downtime to roll something like this in, even if they have tested the hell out of it. You need time to get the damn thing back out if it screws stuff up. I deployed W2K SP3 onto my terminal servers a few months ago and it broke Office on every one of them. It didn't do that when I tested it, took me hours to clean it up.
It'll help take off that edginess, ma'am.
There's no excuse. Just because it is harder to install than a simple windows update package isn't any kind of reason not to update.
I agree, however...
Microsoft has argued for a long time that Windows is easier to administer (than UNIX/Linux), and that you don't need to hire an expensive, trained admin (which I assume they are referring to UNIX admins, but aren't MCSE expensive, trained admins, all jokes about the quality of MCSEs aside?).
So here we are with MS SQL Server, which is supposed to be an enterprise quality database system... but it has no intuitive interface for installing patches. So either we have a real DBA, who should know how to do these patches, or we have a power user to manage the database through a better interface to keep up to date on patches.
Either it's easy and you don't need an admin, or it's difficult and you do need a trained admin. SQL Server updates can't be as "complex" as they currently are if Microsoft is going to claim that anyone can admin a Microsoft server product.
Granted, they may not be making the claim that SQL Server is easy to administer, but what are the customers going to think? If Windows is "easy" (or so says the advertising), then SQL Server must be easy too! They both have little wizards to automate tasks, they both have a graphic interface for management...
> The article I read (on yahoo [yahoo.com]) states the unpatched servers were all on the internal network, not the internet, and that they were in use by researchers within microsoft. Let's not jump too quickly on the bash microsoft bandwagon for that.
The fact that it ate their lunch is de facto evidence that they should have patched them all.
Sheesh, evil *and* a jerk. -- Jade
Most modern servers are GHz+ boxes, and this worm saturated some 100 MBit links. So there is ample processing power and TCP/IP stack space to create connections. The worm might have not exploded so quickly, but that just means that it would have lingered longer.
I want to delete my account but Slashdot doesn't allow it.
Gosh, this kind of argument really doesnt easen my worries...
... is that oopses like this one have exactly zero impact on their market share, companies' acceptance of MS "solutions" etc... This is not a free market as known for ages, definitely.
OK, so how did these servers get infected in the first place, if they weren't on the internet?
My guess would be a laptop. Picture this, MS engineer takes his laptop home. Connects to his dsl. Laptop gets infected. MS Engineer returns to work, connects to INTERNAL network. Laptop infects servers.
Keep in mind that VISIO installs a copy of SQLServer that is vulnerable, which is probably on a large number of MS laptops.
What staggered me about the whole episode is that there are people running SQL Server open on the internet. Why? Something as large and as complex as an RDBMS product is a inviting disaster (applies as much to Oracle etc. as SQL Server as well). All my databases are buried well behind firewalls that don't allow any access from the internet. Use a VPN if you need to access databases over the internet. There are free ones available...
MS02-061 is for a DIFFERENT vulnerability.. ones that applies to both SQL 2000 & SQL 7.0 --- The original slammer/sapphire worm applies only to SQL 2000.
Also, SQL 7.0 DOES use port 1434 - Even SQL 6.5 uses this port. Get it right!
The only reason slammer/sapphire were menioned in MS02-061 is because the patch for that vulnerability ALSO includes the fix for the slammer/sapphire worm. It's just a rollup that includes more than one, but the Web Tasks feature that is vulnerable IS IN SQL 7.0 TOO
As long as one gets massive attacks like the one in the article, it means the split was not done, or not done into small enough networks.
VKh
fsck....
Everything in the Universe sucks: It's the law!
so who are you? deek? steveo? one of the nycers? Mr. wobblie. please email hackerchick00@ lycos - thanks
x374192
i'd hit it.
er, make that @email.com, not lycos :)
1) Went to a news site (MSNBC? I forget...) - decided to try running a video - told me it needed the Microsoft plugin, sent me to Microsoft site to download Media Player 9.
2) Said okay, what the hell, I'll get it, EULA or no, downloaded, installed.
3) Broke my wallpaper changer - began giving me divide by zero errors when I changed wallpaper. Why? Who knows?
4) PowerPro began to crash on reboot for the wallpaper thingy... Why? Who knows?
5) Uninstalled Media Player 9.
10)Uninstalled WallMaster, reinstalled WallMaster.
11)WallMaster and PowerPro problem go away.
12)Irony - Even after I installed Media Player 9, the fuckin' news site STILL SAID I NEEDED THE PLUGIN!
Fucking morons...
Within the next six months, I intend to go Linux only and wipe fraggin' Microcrap off the disk...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
For M$ engineers and all windoze dummies:
goto run and type cmd and hit enter
you will see a black screen now with a prompt.
type c: and hit enter
type c:del windows (enter y if prompted)
Your windows box is now patched.
You know, I'm having a good laugh here..
... hey, if you can't drive the bus, get off the road.
/apt-get etc....
"They make too much stuff to bother standardizing versionning info"
Linux: rpm -qa
Microsoft: "sorry we can't do that it's too hard"
rofl
And you didn't even address my original post.
The entire internet went down on Saturday but it seems Microsoft bears no blame in your eyes. If that isn't a pure unadulterated example of the arrogance displayed by Microsoft I don't know what is.
If I wrote shit that barfed all over the internet like that, I'd be begging on my knees for forgiveness from my customers-- not giving them the "you're all morons speech". Actually I'd be outta a job.
I think you're the troll here. You should be proud. It's not too often a troll gets +5.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
Take a look at this old story. Remember what MS's response was (and still is)? Don't receive emails that start with 'begin '.
If that does not say heaps I don't know what does.
But picture yourself as a Microsoft sysadmin. As a Microsoft insider, you will have heard by the proverbial grapevine all about the quality of the patches or lack thereof and whether they even work.
You are faced with a dilema: Do you test the patches adequately, given the complexity and the mission critical nature of your application? In this case, the required amount of testing may very well still not completed!
Or do you just apply the patches and pray?
Or do you put off installing the patches until somebody else establishes thet they are safe and effective?
If I wrote shit that barfed all over the internet like that,
.dll, it's all right there. Go away, troll.
I think that accusing MS of writing the worm is slander. I really doubt that they wrote that worm.
And as far as your silly apt-get comparison... MS's stuff is integrated. That's why everything works so well together. I can very easily get the version from my third party apps because they're separate. MS stuff isn't built like that. If you want the version of a
Of writing the worm? Sheesh... well I can't help your reading skills.
.dll, it's all right there."
.NET with the GAC .... too bad it's only for managed apps though. Still, judging from that I'd say even Microsoft thinks your wrong here.
"If you want the version of a
But thanks, you just proved my point.
And btw, a DLL version has nothing to do with a package version. But since you don't seem to understand the difference I'm not surprised my point escaped you. So I'll explain: patches in all modern Linux distributions affect the over-all version of the of the package software. This is why controlling patch levels on Linux is such so much easier than Windows-- controlling the version of a package in Linux means just verifying the rpm database; NOT inspecting each file in the package to see if it is the right version, as your reply suggests.
Still, it's funny you mention DLLs since even Microsoft acknowledges the pain that is DLL Hell. It is also, as a futher footnote, something that Microsoft tries to fix in
tata.. enjoyed the repartee... have fun checking DLL versions.. lol, and against what... rofl
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
You have to assume there *are* holes in application software such as SQL server due to its complexity.
Taking a reactive approach, and simply installing hotfixes are they're available will simply not work - patches are often not available until a number of days/weeks/months until after the vulnerability is known. Even if it hasn't been fully disclosed, the blackhats may well know about it, or be prompted to scrutinize that particular product more and find it before the full announcement.
The correct way to deploy such products is to design your network with this in mind, and firewall them off from the rest of the world.
That does NOT give you the security to not worry about patching (single layer security is bad) - keep your servers patched - but it does buy you a little time, and is an extra layer of defense in case there is a server that doesn't patch properly for some reason (file couldn't be overwritten for example), or is accidentally forgotten about.
I can think of *no reason* why an SQL server must be accessible to the world. You have a webserver that uses it as a back-end? Give the public access to port 80/443 of that ONLY, and disallow connections from anywhere but localhost to the SQL software. Even better (and the approach I always take - I don't trust Win-X to be visible to the internet, period), install it on a seperate physical machine, firewall that machine more tightly (ie, allow SQL connections ONLY from machines that require them, such as your webserver).
If you have client machines that need to access the database from the internet, thats what VPNs are for.
Since I've had enough sense to firewall my servers correctly (yes, I was a clueless idiot before as well ;), I have not had a single security breach.
I'm not saying that I'm definately immune to a concentrated attack, but you can definately stack the odds in your favour.
Yes, it is an investment in time, and probably money - but if you want a secure network, its simply the price you have to pay these days... how much is your data/uptime worth?
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
... being that this is an old vulnerability and these administrators obviously should have known better.
The time that it takes to safely apply a patch, however, can wear down the resolve of the people responsible for the system. It is not like one can just mindlessly slap a patch into place. It must be tested to ensure that core applications don't break.
I work in an all Microsoft shop so I see the frustration of our system administrators with each new patch that comes out. I really wouldn't want that responsibility. If they take the time that is required to be sure that the patch is safe, it may be too late and the consequences of not taking the time could be grave. Damned if you do and damned if you don't.
The race isn't always to the swift... but that's the way to bet!
Anything is better than a softie. I feel great!
Rick Devenuti didn't say that it was too hard.
Yes he did. He said, "...it is hard to be 100 percent patched with any machine ... we are not there." What else can that mean except that it takes a huge effort to co-ordinate all the silly M$ "patches"? Isn't this the direct result of binary colosed source distribution and sloppy source code organization? In other words, is'nt this symptomatic of an obsolete distribution method? They just can't get it up.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Patches? Patches? We don't need not stinking patches!
in a quiet corner of the redmond campus, hell is about to break loose from above on two unsuspecting admins..
Bob: You get that lastest patch Homer?
Homer: Sure, I got it right here on this floppy.
Bob: Yah amazing how small patches are getting these days....
Homer: Yah, those guys over in the geek department are getting good...
Bob: Say, Homer, did you install that patch by any chance?
Homer: Sure, I put the disk in that one thing and the auto-fixy-thingy does all the work for me... Microsoft sure makes great stuff...
Bob: Yah, some day all we will have to do is patch software all day, won't that be great, no more this security garbage...
Wasn't the author of "Sapphire" also the guy who took advantage of some holes in Linux, with Lion.worm? At least they aren't taking sides, apparently. Seems like a good excuse to close off all data connections with China at least.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
Oh really? Very few?
t ab index=3&tabid=4
http://www.sqlsecurity.com/DesktopDefault.aspx?
"It just takes one machine to get going," he said. "At any given point in time, it is hard to be 100 percent patched with any machine. We are working hard to make patch management easier. But 100 percent is a high bar and in this case we are not there."
He said that it's a tough problem and that they're working on it. Then admitted MS's deficiency.
Oh wait, sorry! I forgot my blatantly-closed-minded-rabid-Linux-zealot glasses. I see your point now. Silly me. This is Slashdot, after all.
and HOW do you think it got into their INTERNAL network??? Maybe an EXTERNAL server was patched???
hmmmmmmmmmm
and if they paid attention to their SMTP and proxy servers, we'd have less spam to worry about.
and if they separated their networks, and kept outside access to a bare minimum (DNS, SMTP, HTTP, FTP, ...) they'd have another layer of protection when some cracker tries to get at their database.
and if a bullfrog had wings, he wouldn't bump his ass. least that's what my mom says...
--mandi
All production SQL Servers were probably patched long ago, in accordance with corporate policy for production servers, but in a company where actively learning about technology is encouraged for ALL employees, where there are several times more PCs than employees, where corporate policy allows employees tons of leeway with what they do with the sometimes multiple PCs in their own cubes, and anyone who wants to can install SQL Server off the network without having to worry about licensing ramifications, there are going to be tons of installations of SQL Server, SQL Developer Edition, and MSDE that the corporate IT group isn't actively managing. People may install SQL Server just to experiment with it, and then not keep up with all the security patches.
Most corporations likely won't have so many "unmanaged" installations of SQL Server.
Silly you, indeed! Five of thirteen root servers taken out of action by this silly worm bassed on a year old flaw, with not even M$ themselves able to "patch" their servers. Good thing they are going to make the easiest to use point and click admin tools that much easier to use, they just might get it up to 100%. Then someone else will drive another truck through some other hole and cost everyone even more money, thanks for the security hug.
Oh wait, sorry! I forgot my blatantly-closed-minded-rabid-Linux-zealot glasses.
Bah, you don't need eyes to see where that one goes, it happens once or twice a year like high tide. You can feel it. Tell me again about my big dick again, why don't you?
This is Slashdot, after all
You don't think it's an AOL forum do you?
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
If you read the technical details of KB 316333, you will find that the link to download the patch is correct -- it is a real patch for Slammer. Can anyone update the story posting to correct the misinformation?
Anecdotal evidence seems to suggest that you are just lucky.
IANAL but write like a drunk one.
... are considered zealotry?
How many more "days of hell" people need to understand that MS products are not what their are pushed to be.
MS products are mostly mediocre offerings that are popular due to luck (being in the right place at the right time) and predatory conduct in the market place.
Call me a zealot, but why if I would not engage with somebody of dubious moral character should I somehow give a convicted monopolist the benefit of the doubt?
IANAL but write like a drunk one.
...cackling from the guy who's software bugs allowed commands to be executed a root one some systems! After he stopped laughing he ordered the dev guys in for an extended bug tracking Sunday on Oracle 9i!!!
"I kill you! You no good 56'ing!"
From O'reily net:
>The Microsoft SQL worm known as "Slammer" caused pager-beeping
>mayhem for system administrators all over the world on Saturday
>morning.
>
>The worm itself is interesting from a purely technical standpoint.
>Apparently, it is less than 400 bytes in size and fits nicely in
>a single UDP package. That's quite a reduction in overhead from
>previous worms such as Code Red and Nimda. The upshot is that each
>data packet can contain a complete copy of the worm. That's
>efficient.
>
>When the Saturday morning attack began, packet loss across the
>Internet was reported to be close to 20 percent, compared to the
>normal 1 percent figure. Once sysadmins got to work, loss was
>reduced to about 5 percent by later that day.
>
>Many analysts are saying this is a wake-up call for the Internet
>caretakers. Others say it's just another battle in the ongoing
>war between crackers and corporate interests.
Seems a computer engineer, a systems analyst, and a programmer were
driving down a mountain when the brakes gave out. They screamed down the
mountain, gaining speed, but finally managed to grind to a halt, more by
luck than anything else, just inches from a thousand foot drop to jagged
rocks. They all got out of the car:
The computer engineer said, "I think I can fix it."
The systems analyst said, "No, no, I think we should take it
into town and have a specialist look at it."
The programmer said, "OK, but first I think we should get back
in and see if it does it again."
- this post brought to you by the Automated Last Post Generator...