Slashdot Mirror
Slammer Worm Slams Microsofts Own
MondoMor writes "Microsoft's forgot to patch some of its own servers to protect it from the months-old vulnerability exploited by the Slammer Worm, reports C|Net. Oops. Apparently Redmond's network was hit pretty hard. Just goes to show that no matter who you are, you'd better keep your apps patched." Update: 01/29 01:59 GMT by T : And if you're running systems which might be affected, take note: whitehorse writes "The Microsoft KB article for the Slammer patch found here has an incorrect URL for 'Download the patch' referring to KB Q316333 which is only a handle leak fix. The real patch may be found later in the article."
The article I read (on yahoo) states the unpatched servers were all on the internal network, not the internet, and that they were in use by researchers within microsoft.
Let's not jump too quickly on the bash microsoft bandwagon for that. (Of course, if they just did enough testing and didn't release buggy, vulnerable software in the first place...)
automatic update doesn't work with SQL server. you have to do patches the "old" way (unzipping files, renaming files, prayer), which is probably why so many novice admins never applied the patches.
Actually, the vulnerability exists for sql 7 as well. If you haven't patched it's only a matter of time.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
The thing to remember is this worm infected any machine running the MSDE (A scaled down MS-SQL server) So if you were running Access or Office 2000 or MS Visual Studio 6, or even Visio 2000 you could be affected by this. Most end users don't even know that they would be vulnerable and the statement "This particular worm largely ignored home and personal computers, due to the product it infects" is false. It also seems to have had an effect on certain Cisco routers. Not fun but you can't just blame "Poor Admins" as the culprits for the virualance of the worm.
*narf!*
There isn't only no way to get SQL Server patches from Windows Update, but (as the parent mentioned), the steps required to update SQL Server and the Desktop Engine (MSDE) is a royal bitch and some.
For example, to apply any hotfixes or cumulative patches for SQL Server 2000, you must download the package, extract it, backup the SQL Server install directory and databases, manually copy over DLL files and other updated binaries, execute the SQL query files included in the patch (one at a time, in a certain order... MSDE users need to use the command line interface for it since there is no GUI provided), then pray that everything is okay and start SQL back up.
My rejected submission -- more details, but a bit long. The big news in my mind was not the microsoft bit--it was that ATM machines were unavilable because of the worm.
;-) )
~~~
The worm that slowed the internet to a crawl over the weekend apparently did more damage than most originally believed. On Monday, many companies were still struggling to clean up. Financial companies and airlines seemed to be hit most acutely. Many web sites that manage payments and check loans were inaccessible. Inexplicably--and really inexcusably--some ATMS were also unavailable. Investigators are also struggling to pinpoint the worms starting point, but are having little success because it took off so fast.
Apparently similar code was released by David Litchfield of NGS Software Inc a few months ago. Virus "author," "Lion" credited Litchfield's code.
The Washington Post has an AP story up as well as this, which is older but has some additional details. The kicker to all this--the worm hit one year after Microsoft launched its "Trustworthy Computing." That and even some of Microsoft's own computers were hit (NYT Reg. Req.).
(Yep, still bitter
So close and yet so far from the world's perfect ID number
> Want to find a list of needed patches for a Microsoft product? Hope you have a few days for searching the endless volumes of technet or msdn-- hope you find everything.
. asp?url=/technet/security/current.asp
I usually just go here rather than searching endless volumes....
http://www.microsoft.com/technet/treeview/default
It is in fact blaming the victim for the software's flaws.
Yep. The same can be said for clicking on virus laden emails. Back when the "I love you" email virus was making the rounds, some MSCE type sent out an email scolding people for clicking on bad emails at the comapny where my wife worked. The next day, her inbox had 50 some emails from him where he'd clicked on a bad email.
Later the same week, our IT dept deployed the last anti-virus patch. I set it off looking at comments on Slashdot where somebody had posted the Word Basic macro that was doing all the dirty work. The dern virus scanner was keying off the macro source. That caused a bru-ha-ha.
Wansu, th' chinese sailor
I'm not talking about Service Packs... but hotfixes, like the one for MS02-056. Of course, they provide an additional tool to help automate the install process of hotfixes (here) that make it a bit easier. But before that was available, take a look at the previous cumulative patches for SQL Server 2000 and read the readme file for the install process. Not as easy as installing a Service Pack, no?
From about Internet Explorer: "Based on NCSA Mosaic. NCSA Mosaic(TM); was developed at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign." Microsofts "smart work" was assimilating open-sourced non-GPL code to become internet literate. Explains why they dislike the GPL. It puts a damper on their research and innovation.
Logic is not Divine.
Well, SQL Slammer is only a TSR-worm and isn't stored anywhere but memory, so those who actually turn off their laptops as opposed to suspend or hibernate wouldn't be carriers.
...
Of course - it only takes one infected client
We do not live in the 21st century. We live in the 20 second century.
Zero defects is not an attainable goal; it's too expensive and no one wants to pay for it.
This article shows just what happens when you expect zero defects in the infrastructure of a large organization like Microsoft Corporation. It's not going to happen. And before someone says I'm Microsoft-bashing, I will say that this is true for the vast majority of corporations, universities, foundations, and governments. That would include Sun, IBM, Red Hat, even the *BSD folks and LKML participants.
There is a damn good reason we won't see zero defects: employees are not measured by it. Their survival, pay raises, and promotions are based not on the number of defects they don't have, but on their contribution to the "bottom line." If you preach zero defects as Job One, then prove it by firing the people who generate defects, without exception -- including the CEO, COO, CFO, CIO, and other top brass, when they screw up.
So now that the myth of zero defects has been exposed for what it is, what do we do about it?
System administrators are going to have to re-think their perimeter access controls. This may require router upgrades to add processing power to support additional filtering.
Sysadmins who have been running "mostly-open" filter configurations may want to consider moving to a "mostly-closed" configuration: deny everything except services that have been cleared for use. Don't allow arbitrary connections. Many unknowing MS SQL servers were protected from participating in this little exercise because the firewall upstream of the desktop system wasn't allowing connections to get through, even if the desktop system had a globally-routed Internet address.
Computer mail order houses and computer stores should consider carefully whether they should bundle appropriate software firewall products with the computers they sell. Software configured to require the user to say "Yes, I want to make SQL server available for public access!" before 1433 and 1434 would be open.
We need to ask the reporters and editors of mainstream publications to be more responsible when reporting problems like Sapphire/SQL. The facts were pretty well known, and available to those who tried hard enough to get them even at the height of the packet storm, so that reporters could make their deadlines and get the facts straight. [Names of the guilty withheld, at least for now -- they know who they are.]
Tier 1 and Tier 2 bandwidth providers need to consider modifications to their Acceptable Use Policies to require some basic filtering of packets in both directions. These AUP changes have been discussed before; perhaps now is the time for them to go into effect:
Update the Best Practices RFCs to incorporate some or all of these suggestions, so that Internet operators around the world can participate in solving the problem.
(N.B.: I want to point out that many USA-based cable operators are contributing to the problem by disallowing the use of NAT and VPN technologies in their apparent [alledged] quest to limit the broadband "Internet service product" to browsing and downloading files. I believe that such an attitude contributed to the problem, not the solution. I understand well the technical and business motivations for this, but I also believe that there are (U.S.) national security implications against such a policy. THINK!)
Are any of these ideas new? NO. The only new idea is to have the Lords Of The Internet use their influence over their customers to implement them more widely.
Good fences make good neighbors. The Internet is a neighborhood.
Rebooting clears the worm from memory and don't most people shut their laptop off when they carry it in to work? Actually we quite a few laptops and desktops that needed patching and the users had no idea that they had MSDE or SQL server running. Windows Update doesn't notify these users that they need patches, and these users definitely include the types that would have no idea that they need to track down obscure patches that didn't even, until this weekend, have an install routine. MSDE installs by default with Visual Studio .NET, ASP.NET web matrix tool, Office XP Developer, MSDN subscription, Accesss 2002, Visual FoxPro 7/8 and can be redistributed by vendors. Even worse, MSDE and SQL server install with a blank password, although I think it warns on install now.
SP3 just came out Jan 17th, 2003. Hotfixes are, as the other guy noted, a major pain. Manually installing the dlls and keeping your fingers crossed. I know this because I recently had to use a hotfix on our production software because SP2 introduced a bug that caused SQLServer to Crash during certain replication scenarios. I was anxiously awaiting SP3 so that I could get the hotfix off our customer's machine and I didn't even know it was out until the notice that it was the fix. I also spent half of December on the phone with SQL Server support and I asked at the time what I needed to make it secure, etc. I was told that SP2 had no security holes. MS botched this one big time. People are right about service packs breaking other code. Replication is a prime example, it doesn't work the same way in the original release as it does in SP1, nor does it work the same way in SP2...hopefully I don't find out that SP3 changed things too much.
cd /raid/8.0/updates
r edhat/linux/updates/8.0/en/os/i386/ -o logr edhat/linux/updates/8.0/en/os/i686/ -a log
/raid/8.0/updates/*.rpm | grep -v "md5 gpg OK"`
/raid/8.0/updates
wget -nd -nH --mirror --no-parent --passive ftp://ftp.mirror.ac.uk./sites/ftp.redhat.com/pub/
wget -nd -nH --mirror --no-parent --passive ftp://ftp.mirror.ac.uk./sites/ftp.redhat.com/pub/
saved=`grep saved log | grep -v ".listing"`
check=`rpm -K
if [ "$saved" ]
then
mail user1@domain.com user2@domain.com <<EOMAIL
New RedHat 8.0 RPMs downloaded onto `hostname`
Please update them:
$saved
$check
If there are any kernel updates, please run lilo before rebooting
EOMAIL
fi
Run this in the night some time.
When you come in, if you've got an email, run:
cd
rpm --freshen -vah *.i686.rpm
rpm --freshen -vah *.i386.rpm
Hey presto. Job done. And if you use Grub, you don't have to bother about running lilo.
Get your own free personal location tracker
RTF files can be read with WordPad, which is included with Windows.
Vote for global prefs bug
We actually had Slammer hit us through our client's network, which was not supposed to have any "extra" computers on it. We cannot install SP3 on that internal "isolated" network because the software that runs on top of it will break. It puts us between a rock and hard place. We have to wait for Honeywell to give us a patch to fix a Microsoft bug. Its like some bizarre bad dream.
10: PRINT "Everything old is new again."
20: GOTO 10
Microsoft incorrectly states in bulletin MS02-061 that SQL Server 7.0 and MSDE 1.0 are also affected by the worm.
While troubleshooting an issue related to the patch w/ MS phone support, the technician told me that 7.0 is not affected and the bulletin was incorrect.
It is entirely possible he was misinformed though.
SQL 7 is *not* succeptable to this vulnerability. SQL 7 doesn't use port 1434 for anything. That's new in SQL 2000. However, 7.0 is vulnerable to plenty of other things.
most of the few hundred lines of code is for a system that fetches the patches from a site that maintains a redhat mirror ( site selection by ping time ) to a local patch server, and does the comparison and selection ( w/ a somewhat optimized algorithm ), then moves old patches out of patch tree. It only took about 60 for the updating stuff. It's what I use on workstations. For servers and clusters, yes, I administer those more directly ( select an appropriate patch, drop it in a patch directory, and it is installed by autorpm ). Perhaps I should have clarified that. But I'm generally not too worried about most linux patches, as I can be sure that the patch I install for a utility or a desktop app isn't going to include something that break mysql, apache, etc. And you can use some of these package management packages ( no pun intended ) on most Unices, for example, RPM on AIX. Most of my admin experience is with Linux, but I've done some AIX + Solaris, and I'll agree that the default methods are a bitch, but they can be made more efficient and simple. And Linux is drop-dead easy to administer on workstations, pretty easy on servers, and very easy on clusters.
As to why I don't use up2date, it's because it chews up to much bandwidth ( ea. workstation hits redhat patch server ). I looked at using Ximian's stuff, but management shot it down.
And if administering w2k boxes is so damn easy, how come very few admins do it right? Proportionally quite a good deal less than their Unix counterparts? I can't verify the comments you made about w2k package management, as I quit doing windows around NT4.0/98 days, but I'll take your word on it. BTW, can this be remotely automated? But, still, how come everyone whines about how hard it is? And how come a frequent complaint ( and one I've seen w/ my site's sExchange mail servers ) is that one patch/update breaks other services/functionality?
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
Go home, plug into cable/DSL. Get infected. VPN in to Microsoft. Ooops.
Vintage computer games and RPG books available. Email me if you're interested.
Alot of sysadmins were waiting for the SP to be released before even approaching this one, just because the patching process is so complex. They just waited a week too long
Ive read that the patch before this thing went big was a bitch. Basically it was a lot of manual this and that updating and rebooting. Basically this meant a lot of people couldnt get aproval from management to patch the server.
I don't understand where the difficulty comes in. You run the service pack, it extracts to your root drive (or whereever you want it to, actually.) You then run setup.bat -- That's it! You're patched!
Some have said they applied the patch and still were vunerable./Some have said the patch fucked their server.
It worked for me, and I can't speak of the ones it didn't work on. SP3 came out a few weeks ago, and admins should have at least had that installed.
Also, I think I read that the cumulitive SQL server patch that was supposed to be out a long time ago finally came out as soon as this worm hit.
Bullshit. The patch to fix the overflow problem came out half a year ago. And the service pack (which includes the patch) came out a few weeks ago.
Don't believe everything you hear..
Not All Who Wander Are Lost
You make a very good point that I didn't see in the last round of comments when /. broke the story. There were, however, excessive numbers of comments along the lines of "those people are so stupid why didn't they just patch their systems".
Personally, I don't run M$ servers. When I did, it was a bitch. Patches that "fixed" one thing broke two other things, and that which was working properly stopped.
One specific example is in the NT service pack series: between SP3 and SP4 (I believe) the format/structure of the NT filesystem changed. If you formatted a partition in post SP3 (SP4 or greater), you could NOT access the partition when you had to rebuild the system (6-12 mo later) UNTIL you made it back up to SP4+.
Why do I want to apply a patch which will probably break my system? To close a security hole, yes. While I'm a bit of a security 'nazi', I wonder sometimes if the patch is worse than the risk of a security breach.
There is very little future in being right when your boss is wrong.
However, we should be very careful about bragging about it, because as it turns out UNIX admins are not that fast either. A study of an OpenSSL vulnerability and the subsequent release of the Slapper worm shows that many admins need some fire before they get moving.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
It's not that bad really, I think later versions of the patch even included a batch file to copy stuff around for you. Even without it, it only took 10 minutes... I mean really, if somebody can't handle this kind of stuff should they really be an admin?
Some have said they applied the patch and still were vunerable.
Yeah you have to be careful with this stuff, if you apply patches in the wrong order you can sometimesend up with the vulnerable code still there. I know a _really_ good admin that got hit with Code Red because of that. The correct order can sometimes be a bit of a mystery.
Some have said the patch fucked their server.
That's the big problem with this situation. I can understand why people don't have this patch or SP3 installed. You really never know what one of these things is going to do. It is common for amins to schedule a 3 hour downtime to roll something like this in, even if they have tested the hell out of it. You need time to get the damn thing back out if it screws stuff up. I deployed W2K SP3 onto my terminal servers a few months ago and it broke Office on every one of them. It didn't do that when I tested it, took me hours to clean it up.
> > Would you rather have a system where you have to manually implement every patch, or would you rather have a system where you didn't have any choices which patches were implemented?
> The first choice would lead to a lot more work.
I find the application-specific security patches we do under Linux to be trivially easy:
- Read the announcement to see whether it applies.
- Click link to download the update (else use ncftptget).
- Verify checksum.
- Apply patch by typing one line in su window.
- [Restart daemon, if needed.]
The only time it's tedious is when it's a kernel upgrade (rare) or when it requires downloading something big from a patch-dotted server.Sheesh, evil *and* a jerk. -- Jade
actually what made this especially bad was UDP. Not many programs run on UDP ports almost always they are TCP. TCP has a VERY important feature and that is upon a non-ack'd window it throttles back the send rate. This is a way to get congestion feedback to a host and tell it to "settle down". The problem with UDP is there is no way to tell it to slow down. Also, the fact that the Internet is a "best effort" network means that no matter what the UDP incoming rate the routers will do their best to deliver the packets. This comes at the expense of all other traffic flows in the router, no way to get congestion feedback to the host means no way to limit the incoming rate. Even if the routers just dropped the packets that still increases CPU and RAM utilization and with the volume that was happening would still probably bring traffic throughput to a trickle.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
I don't think there is much danger to home users. While MSDE is included with those products it is not part of the normal installation. You usually have to run a second setup to install it. Even in VS.Net, if you choose to install MSDE, it simply copies MSI package to your hard drive and informs you that you will have run the install.
Even earlier?
Uh, I'm sure you meant to clarify that while mainstream NT4 Workstation support certainly is up on 30-Jun-2002, Win2k Pro is up on 31-Mar-2005. That's 3 years, 3 months later than NT4. And the extended goes until the same date in 2007. That's over 4 years away. Win2k isn't going anywhere.
Do you think you'll still be using (insert current Linux distro) in seven years? What were you using seven years ago, and is it what you use now?
Companies cannot support a particular product forever, simply because they created it. I, for one, am glad that Microsoft does this. It enables me to phase out old systems, that, while useful in their purpose, are simply not cost effective to keep running anymore. It is a convenient excuse to say, "Sorry, but Microsoft doesn't support it anymore, so we can't. We'll either need to get a new system or you can go without support." Seven years is quite a bit of time, in the relatively fast moving tech sector. I realize that there are a bunch of examples where people need support for a large, unwieldy system that cannot be easily upgraded. But that is simply the nature of the beast. No one ever said doing this was easy.
Of course there are some people that say, "I'm still using Red Hat 2.1, and you'll never make me change!"
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium