Slashdot Mirror

← Back to Stories (view on slashdot.org)

Slammer Worm Slams Microsofts Own

Posted by ryuzaki0 on from the oops-they-did-it-again dept.

MondoMor writes "Microsoft's forgot to patch some of its own servers to protect it from the months-old vulnerability exploited by the Slammer Worm, reports C|Net. Oops. Apparently Redmond's network was hit pretty hard. Just goes to show that no matter who you are, you'd better keep your apps patched." Update: 01/29 01:59 GMT by T : And if you're running systems which might be affected, take note: whitehorse writes "The Microsoft KB article for the Slammer patch found here has an incorrect URL for 'Download the patch' referring to KB Q316333 which is only a handle leak fix. The real patch may be found later in the article."

9 of 514 comments (clear)

  1. SQL Server by pdbogen · · Score: 5, Interesting

    At my office, we weren't vunerable because we /didn't/ upgrade. We were still running SQL 7.. Just goes to show you...

    1. Re:SQL Server by B1 · · Score: 5, Interesting

      It's funny. I think a while back, there was an article posted about security through obsolescence.

      Basically, the idea is that by running "ancient" versions of software products, the script kiddies are completely thrown for a loop--their collections of 'sploits only work on more recent versions of code.

      Not that I advocate it, of course, but you made me think about it.

  2. The Irony by Merlin_1102 · · Score: 5, Interesting

    Oh the irony in this. Microsoft always insists you update your patches, but for some reason they don't. O well this could be a good thing for network administrators as at the end it stated they were going to work on a new way to install patches.. Or thats what it looked like they said to me.

    1. Re:The Irony by bob670 · · Score: 5, Interesting

      You are correct, we use a third party payroll system on a SQL 2000 server. Every patch so far has broken some part of the payroll system, and those same execs screaming for security scream even louder when paychecks don't get cut.

      I have come to dread every MS patch with a certain sense of dread. At least on the desktop you can build an image and test it with no real risk, but on production servers it's a total gamble, and I'm tired of bettig my ass (and personal life, and sleep, and job title) on Microsoft. Our SQL box is behind a firewall and no other SQL (developer or otherwise) runs in house, so I took a pass on this patch until the guys that code the payroll system have approved it. That might sound great until you know they are 3 guys who support 5 products (with multiple versions) and it takes them months to test anything.

      I'm quite glad MS gets bit by their own bugs, now that's good karma.

  3. Nailed us. by nortcele · · Score: 5, Interesting

    God knows why, but our company had an NT box running MS-SQL outside the Unix firewall.
    It got nailed and then apparently had privileges to come in and nail the rest...

    Took us out for 12 hours. We are talking significant production loss here. I'm just thanking
    my luck stars that I have nothing to do with our NT setup.

    I snicker and do my little dance quietly in my cube.

  4. Re:Microsoft didn't patch all their INTERNAL serve by jrumney · · Score: 5, Interesting
    OK, so how did these servers get infected in the first place, if they weren't on the internet?

    Was the Slapper worm developed by a disgruntled Microsoft employee, and unleashed from within Microsoft?

  5. Re:Speaks volumes for their policies... by municio · · Score: 5, Interesting

    if this info gets around enough

    I don't think so. I watched a 4 min report on the Slammer Worm in CNN on saturday and they fail to mention either MS or SQL Server. It was an "internet worm", originated by some haker in the internet for the internet. For 4 min they danced around the news without any mention of Redmond or any of their products.

  6. The MS security update is confusing by ortholattice · · Score: 5, Interesting
    While I had this update applied, I felt and still feel uncomfortable that it is installed correctly. The update is confusing. I wouldn't be surprised if a lot of people installed it wrong. (I believe MS now has an updated version they released _after_ the worm that is easier but haven't checked it out.)

    As an aside, the instructions are in a readme.rtf file, even though they are actually just plain unformatted ASCII text pasted into Word. Who in their right minds would have Office 2000 installed on their SQL server? Or is this supposed to be standard practice? Gee, I guess should also look into putting OpenOffice on my Linux firewall.

    Here are some quotes from Microsoft's instructions.

    In the instructions that follow, the designation refers to the path on your disk in which the SQL Server files are installed. This path is typically :\Program Files\Microsoft SQL Server\Mssql. Note that the Mssql directory may be MSSQL$ for a named instance installation.

    OK, but there is also a Microsoft SQL Server\80\Tools\Binn\ directory. What about this one?

    3. Make a back up copy of the ssnetlib.dll files from the \Binn folder and the ssnetlib.pdb files from the \Binn\dll folder.

    ssnetlib.dll "files"? Why plural? I only found one in the path they seem to reference, but actually there was another one in Microsoft SQL Server\80\Tools\Binn\. However there was no ssnetlib.pdb in the main path nor was there even a directory Microsoft SQL Server\80\Tools\Binn\dll.

    4. Copy the ssnetlib.dll files from the hotfix self-extracting archive into the \Binn folder and the ssnetlib.pdb files into \Binn\Exe folder.

    Again, how can there be ssnetlib.dll "files"? What are they talking about? Also, earlier the (non-existent) ssnetlib.pdb file was supposed to be backed up from the Dll folder, now we put the new one into the Exe folder?

    6. Test the scenario for the bug that this build fixes to verify that your problem is resolved.

    OK, so I unleash Slammer on my network to make sure the problem is fixed? (And how would you test it before Slammer was officially released?)

    (NB: some of the above may not be completely accurate, being based on old scribbly notes jotted down in the midst of confusion. However the quotes are direct from readme.rtf.)

  7. Problem is IPv4 by Jimmy_B · · Score: 5, Interesting

    No one's laid blame on it, but I think that the real way to get rid of these worms is to transition the net to IPv6. Slammer, Code Red, Code Red 2... all of them work by brute-force IP scanning. That only works because the IPv4 addres space is so densely populated; with IPv6, a worm would never be able to spread itself that way because the odds against a random hit are astronomical. I'm not saying that this should be a substitute for keeping servers up to date, but all the patching in the world doesn't help when the problem is that some faraway node is crushed under the traffic created by a worm, and IPv6 is good for many other reasons as well.