Slashdot Mirror
Slammer Worm Slams Microsofts Own
MondoMor writes "Microsoft's forgot to patch some of its own servers to protect it from the months-old vulnerability exploited by the Slammer Worm, reports C|Net. Oops. Apparently Redmond's network was hit pretty hard. Just goes to show that no matter who you are, you'd better keep your apps patched." Update: 01/29 01:59 GMT by T : And if you're running systems which might be affected, take note: whitehorse writes "The Microsoft KB article for the Slammer patch found here has an incorrect URL for 'Download the patch' referring to KB Q316333 which is only a handle leak fix. The real patch may be found later in the article."
damn
i would've beat you if MS SQL wasn't slowing me down
And I just thought the whole internet had been slashdotted! Who would have even imagined another design flaw in an MS product.
At my office, we weren't vunerable because we /didn't/ upgrade. We were still running SQL 7.. Just goes to show you...
I am so happy Microsoft got a taste of the problems that their own buggy software has...I wonder how many times this will have to happen to them until they get the picture.
"That vulnerability is completely theor...oh shit!"
Relying on a vendors automatic update feature is no substitute for solid system administration.
Oh the irony in this. Microsoft always insists you update your patches, but for some reason they don't. O well this could be a good thing for network administrators as at the end it stated they were going to work on a new way to install patches.. Or thats what it looked like they said to me.
I'm glad to say that my servers were unaffected. Slapper does not affect AS/400 nor Linux.
"History doesn't repeat itself, but it does rhyme." Mark Twain
...says that patch management in Microsoft operating systems gets 100% better in 1 year :P
Don't believe anything I say. I crash test crack pipes for a living.
Just goes to show that no matter who you are, you shouldn't use MS SQL.
but hey, to each their own...
As one of the articles I read on the issue stated, it really does show that their policy of blaming the users for not patching their systems perhaps isn't the best approach to take. It is in fact blaming the victim for the software's flaws. Maybe this will turn microsoft more towards making sure their products are more secure from the start if this info gets around enough. Yes, I know Billg's "Trusted Computing" plan is rather new, but they sure seem to get caught with their pants down often.
today is spelling optional day.
Larry Ellison is cackling like a little girl........
(found on another forum) 01/25/2003 1:04:37 PM
"MSN was total messed up, I couldn't even log on to the net last night it said that my user name and passworded was invalid so I call them up and the tech guy says wow that's weird I can't ether."
-- Boycott Shell
The article I read (on yahoo) states the unpatched servers were all on the internal network, not the internet, and that they were in use by researchers within microsoft.
Let's not jump too quickly on the bash microsoft bandwagon for that. (Of course, if they just did enough testing and didn't release buggy, vulnerable software in the first place...)
Who the hell has their SQL server in the public side of their firewall? These things shouldn't be directly accessable to any worm.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This story supposes that Microsoft should somehow be a paragon of network infrastructure. It's clear from past events that MS is among the lamer of companies when it comes to infrastructure/security. Take, for example, the time DNS for just about the entire collection of MS domains, such as msdn.com and microsoft.com, were completely disabled by an attacker. They had all four of their nameservers on the same subnet, and all running Microsoft DNS software. An easy target to say the least. Calling this sophomoric is being kind. It didn't take them long to fix it, and I believe that now they contract out their DNS to get maximum diversity (and they even utilize Unix nameservers!).
I fully expect to see more entertaining stories like this for a long time to come.
In reality, admins running enterprise systems must remember to check what the patch fixes and weigh it against known issues it may cause. In Microsoft's case, their admins would be sure to know the service release is out. My guess is compatability testing indicated they should wait for a future patch, or until they changed something in their setup that would make any problems from the patch a non-issue.
www.atacomm.com - The Leader in VoIP Product Distributi
How many times have you, on a Win2k server clicked the check box labeled "Remind me in four hours" and waited for the next shift to patch the box?
Oh joy, the pleasures of having an automated "Patch-me-now" daemon.
Lazy admin, none the less.
I wonder how long it will be before companies that are hit hard by this will start terminating those responsible. Now, obviously part of the blame goes to the one responsible for the infected machine, and part of the blame goes to the software maker (Microsoft in this instance).
This, like most other large-scale worm or virus infections, was completely preventable. So many machines are infected due to 1) lazy admins, 2) admins who are asked to do too much and didn't have time to patch all systems regularly (possibly because of staff cuts), and 3) Complete idiots who don't know any better and shouldn't have their job in the first place.
This particular worm largely ignored home and personal computers, due to the product it infects. However, I think a lot of companies sit back and say, "Well, I sure am glad that we have Tom to get this all fixed for us... without him, what would we do?"
That is the problem. Those in charge need to understand that it is both Microsoft's and the admins fault for things like this to occur. It rarely "just happens" and most large-scale attacks were preventable by a month, or even a year before the vulnerarability was exploited.
Eventually, I hope this leads to a shakeout of all the poor admins, or the managers who place too much workload on their admins so that they do not have time to do it right.
If you had nuts on your chin, would they be chin nuts?
God knows why, but our company had an NT box running MS-SQL outside the Unix firewall.
It got nailed and then apparently had privileges to come in and nail the rest...
Took us out for 12 hours. We are talking significant production loss here. I'm just thanking
my luck stars that I have nothing to do with our NT setup.
I snicker and do my little dance quietly in my cube.
With the exploits going around recently I've realized a couple of things when it comes to security.
First and foremost is secure code. Right now, almost everyone and their grandmother has a firewall. They do a good job of protecting ports a user can't shutdown totally (some NetBIOS ports) and protecting insecure applications a user or organization wants to run internally but doesn't want the world to access (NFS, NIS, etc). The majority of these exploits target applications that firewalls will usually let past such as HTTP, FTP and e-mail.
Frankly I'm not sure how coders should go about writing secure applications, but it needs to be done. Perhaps at large organizations there should be a dedicated person or term in charge of verifying code is clear of buffer overflows and other nasties. Either way, the code itself needs to be secure or because a firewall won't do a thing. Without it even the most secure configurations will continue to be cracked.
Second is firewall configuration. Many firewall administrators tend to forget about outbund packets. Obviously there are some they need to let out (HTTP, FTP) but when it comes to things like SQL and outbound portmap, there's really no reason. Depending on the organizations needs they can more than likely block all outgoing UDP. By doing this they can help slow the spread of worms (such as this one) and reduce liability when it comes to crackers using their systems as a point to attack other systems.
Firewalls that block incoming packets just don't cut it, and never have. We need to have secure code and need to block unnecessary outbound packets as well.
Was the Slapper worm developed by a disgruntled Microsoft employee, and unleashed from within Microsoft?
From the article:
"Publicly, they are saying it's not our fault, because you should have patched. But Microsoft's own actions show that you can't reasonably expect people to be able to keep up with patches."
What he really means is that you need a better patch system. SQL server patches, and many others, are not covered by Windows Update.
Why not?
I just love these lines:
"Seems like every time I install a system patch, something else goes wrong with my system," said Frank Beier, president of Web design firm Dynamic Webs. The designer said many system administrators won't patch for many months, because they don't trust Microsoft to fix the problem without breaking some other function of the software.
"In most cases, I'm better off just playing Russian roulette with the hackers until our servers are broken into," he said.
another place where Unices have MS beat?
Yep.
I love the way the article makes security + patching seem such a burden on system administrators. It's one of the main functions of a sysadmin's job. Any sysadmin who thinks security patches are optional, regardless of how shitty your OS's package management + patch integration is, deserves to have their network taken down and their ass fired.
Though I do get a kick out of thinking of the nightmare the Windows admins have keeping up to date with patches, whereas a few hundred lines of perl, and I have my own automated patching system, and RPM keeps track of it ( no rpm vs. deb flames, thank you ).
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
....of an horrific accident in Redmond, WA, in which the ever popular and much loved Slammer worm has become infected by a particularly pernicious dose of Windosis. A round-the-clock vigil has been in progress since Saturday, and the nations top experts have been called in to try to save Slammer. "17'5 700 34rLy 700 54y 1f w3 c4n 54v3 h1m" said pUrPle_rONniE, a pasty looking spokeman for the uninstall SWAT team. "w3 0wnz y00". This is only the 200,502,738th reported case of Windosis since 1982. The Department of Justice have yet to seal off the area to prevent further contamination.
Modest doubt is called the beacon of the wise. - William Shakespeare
Clearly Microsoft has a serious problem communicating the need to apply certain patches.
... a company serious about security would have a consistent and documented way for finding the version information of their software.
Of course, it's the customers fault.
When the original story came out I couldn't count the number of posts pointing out that the patch was released a while ago for this problem while totally discounting the fact that most of the world fell prey to it.
Redhat, for instance, boldly displays all the security problems AND patches on a single page for its products.
Want to find a list of needed patches for a Microsoft product? Hope you have a few days for searching the endless volumes of technet or msdn-- hope you find everything.
Want to know the patch level for your Microsoft software? Have fun, it's randomly displayed somewhere in the product... maybe in the about box... maybe just a file version
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
My rejected submission -- more details, but a bit long. The big news in my mind was not the microsoft bit--it was that ATM machines were unavilable because of the worm.
;-) )
~~~
The worm that slowed the internet to a crawl over the weekend apparently did more damage than most originally believed. On Monday, many companies were still struggling to clean up. Financial companies and airlines seemed to be hit most acutely. Many web sites that manage payments and check loans were inaccessible. Inexplicably--and really inexcusably--some ATMS were also unavailable. Investigators are also struggling to pinpoint the worms starting point, but are having little success because it took off so fast.
Apparently similar code was released by David Litchfield of NGS Software Inc a few months ago. Virus "author," "Lion" credited Litchfield's code.
The Washington Post has an AP story up as well as this, which is older but has some additional details. The kicker to all this--the worm hit one year after Microsoft launched its "Trustworthy Computing." That and even some of Microsoft's own computers were hit (NYT Reg. Req.).
(Yep, still bitter
So close and yet so far from the world's perfect ID number
I agree, I am sure MS had policies in place to keep all public-facing servers fairly up2date. One thing that I found to be true is when the article mentioned that alot of the developers internally had installed SQL or MSDE on their workstations. I know that when our comapny got Code Red / Nimda, it was the developers workstations with IIS that were propagating it to the rest of the network.
Just goes to show that people who are paid to be technically apt can be just as much of a crutch and regular users.
"Provided by the management for your protection."
Just goes to show that no matter who you are, you'd better keep your apps patched.
No, it shows rather that no matter who you are, you should not use Microsoft's server and database solutions.
Sigged!
Ive been hearing a lot of this and thats and I was hoping to get the straight dope.
Ive read that the patch before this thing went big was a bitch. Basically it was a lot of manual this and that updating and rebooting. Basically this meant a lot of people couldnt get aproval from management to patch the server.
Some have said they applied the patch and still were vunerable.
Some have said the patch fucked their server.
Also, I think I read that the cumulitive SQL server patch that was supposed to be out a long time ago finally came out as soon as this worm hit.
Since I do NOTHING with Sql servers, I dont keep up on this. But I do have to answer to security questions and general FUD so, for those in the know -- whats true and whats not?
The ultimate network admin tool needs HELP!
Well..sort of. SQL Server 2000 SP3, which fixes this problem, comes in a self-extracting exe which asks you for the target directory. You then go to that target directory and run setup.bat: The installer automatically shuts down SQL Server for the initial part, installs the patches (you copy over absolutely no dlls or binaries), restarts SQL Server for the final part where it then runs the update SQL scripts. It really is a trivial process. As far as backing up your data you should be doing that regularly anyways. This process is the same for MSDE installations.
I don't know where this myth of hyper-complex SQL Server updates came from. Admittingly it is a bit more complex if you have multiple instances, but generally that goes along with more advanced administrators anyways.
As an aside, the instructions are in a readme.rtf file, even though they are actually just plain unformatted ASCII text pasted into Word. Who in their right minds would have Office 2000 installed on their SQL server? Or is this supposed to be standard practice? Gee, I guess should also look into putting OpenOffice on my Linux firewall.
Here are some quotes from Microsoft's instructions.
OK, but there is also a Microsoft SQL Server\80\Tools\Binn\ directory. What about this one?
ssnetlib.dll "files"? Why plural? I only found one in the path they seem to reference, but actually there was another one in Microsoft SQL Server\80\Tools\Binn\. However there was no ssnetlib.pdb in the main path nor was there even a directory Microsoft SQL Server\80\Tools\Binn\dll.
Again, how can there be ssnetlib.dll "files"? What are they talking about? Also, earlier the (non-existent) ssnetlib.pdb file was supposed to be backed up from the Dll folder, now we put the new one into the Exe folder?
OK, so I unleash Slammer on my network to make sure the problem is fixed? (And how would you test it before Slammer was officially released?)
(NB: some of the above may not be completely accurate, being based on old scribbly notes jotted down in the midst of confusion. However the quotes are direct from readme.rtf.)
I know, I know... there are going to be tons of posts lambasting admins for not updating their boxes. Sometimes the cure is worse than the disease. Hell, last week a live update caused a catastrophic failure to the email systems. The IS boys were not lazy, did what they should, and lost 36 hours of their lives rebuilding the boxes from tape because of a bad patch.
Patches that fix something specific are fine. Patches that add new features or change API behavior can really make a mess. I've seen plenty of kit that requires xx service pack and the latest yy version breaks it.
As a side note, make sure you get the patch if you are running the MSDE on any of your boxes.... Same problem as SQL server - way to many vendors will fold that one into a dev version of a product. I know I almost found out the hard way...
+++ UGUCAUCGUAUUUCU
There are quite a few "porous" holes that get into Microsofts internal networks. None of them are direct and without something like this worm that uses their own software, none are likely to allow much in.
I've worked in some of the Microsoft data centers and done design work... I know how hard they (just like many of my other non-microsoft customer) try to keep people "out" of these networks. But I've seen development projects go on the "soft" network and then get forgotten about. Its machines like these that probably provided the bridge back into MS.
It happens. Regardless of the company. Just some get more publicity than others. You think BofA didn't have firewalls? And yet they went offline for what... half a day or more?
I'm not talking about Service Packs... but hotfixes, like the one for MS02-056. Of course, they provide an additional tool to help automate the install process of hotfixes (here) that make it a bit easier. But before that was available, take a look at the previous cumulative patches for SQL Server 2000 and read the readme file for the install process. Not as easy as installing a Service Pack, no?
Well this episode shows that you can drag the camel to the well but you can't make them drink the water.
Now Microsoft is in an awkward position. They claim its not their fault: admins should have noticed the original security advisory and patched their machines. But how do they expect 3rd parties to keep up and pay attention when their own internal resources don't?
For a full time system admin that is paid to do nothing but maintain the servers following the advisory and patching escapades is their job. However a developer working on a piece of software that requires MS-SQL Server doesn't have the time nor the energy to. Reading the patch it sounds like it isn't exactly a "click-and-go" process and is a little scary. To a developer I'm not so sure its short sightedness. I spend a lot of time working on product, not following security advisories nor do I spend a lot of time applying complex or risky patches. To a developer the risk of having an unpatched, internal usage machine is much much much less than breaking the environment and screwing up your work schedule.
Harping on admins that got caught is one thing. Harping on developers to follow and apply every patch is futile. So futile that not even Microsoft themselves internally would try.
They release fixes that people have been so conditioned to avoid that they even do so themselves. It hardly seems to be a fix if nobody will touch it with a ten foot pole.
No one's laid blame on it, but I think that the real way to get rid of these worms is to transition the net to IPv6. Slammer, Code Red, Code Red 2... all of them work by brute-force IP scanning. That only works because the IPv4 addres space is so densely populated; with IPv6, a worm would never be able to spread itself that way because the odds against a random hit are astronomical. I'm not saying that this should be a substitute for keeping servers up to date, but all the patching in the world doesn't help when the problem is that some faraway node is crushed under the traffic created by a worm, and IPv6 is good for many other reasons as well.
It should read "Slammer Worm Owns Microsoft" not "Slammer Worm Slams Microsofts Own".
;) Still, there is some reporting I usually provide our team but my data source is still pooched.
I'm saying that from behind Microsoft's firewall - I should know.
It sure was a giggle on Monday seeing all the warning letters taped on every door and elevator in the building.
Most ops stuff seems up now - as up as they ever are
Oh well... I can still browse slashdot.
I figure this post is blatant karma whoring, but if it helps some geek out there smile...
**Microsoft Confidential - Do not forward**
All Computers Running SQL Server 2000 and
MSDE Required to Load SQL Server 2000 Service Pack 3
say no more!
. This sig unintentionally left blank. I meant to put something here, but I'm busy.
Zero defects is not an attainable goal; it's too expensive and no one wants to pay for it.
This article shows just what happens when you expect zero defects in the infrastructure of a large organization like Microsoft Corporation. It's not going to happen. And before someone says I'm Microsoft-bashing, I will say that this is true for the vast majority of corporations, universities, foundations, and governments. That would include Sun, IBM, Red Hat, even the *BSD folks and LKML participants.
There is a damn good reason we won't see zero defects: employees are not measured by it. Their survival, pay raises, and promotions are based not on the number of defects they don't have, but on their contribution to the "bottom line." If you preach zero defects as Job One, then prove it by firing the people who generate defects, without exception -- including the CEO, COO, CFO, CIO, and other top brass, when they screw up.
So now that the myth of zero defects has been exposed for what it is, what do we do about it?
System administrators are going to have to re-think their perimeter access controls. This may require router upgrades to add processing power to support additional filtering.
Sysadmins who have been running "mostly-open" filter configurations may want to consider moving to a "mostly-closed" configuration: deny everything except services that have been cleared for use. Don't allow arbitrary connections. Many unknowing MS SQL servers were protected from participating in this little exercise because the firewall upstream of the desktop system wasn't allowing connections to get through, even if the desktop system had a globally-routed Internet address.
Computer mail order houses and computer stores should consider carefully whether they should bundle appropriate software firewall products with the computers they sell. Software configured to require the user to say "Yes, I want to make SQL server available for public access!" before 1433 and 1434 would be open.
We need to ask the reporters and editors of mainstream publications to be more responsible when reporting problems like Sapphire/SQL. The facts were pretty well known, and available to those who tried hard enough to get them even at the height of the packet storm, so that reporters could make their deadlines and get the facts straight. [Names of the guilty withheld, at least for now -- they know who they are.]
Tier 1 and Tier 2 bandwidth providers need to consider modifications to their Acceptable Use Policies to require some basic filtering of packets in both directions. These AUP changes have been discussed before; perhaps now is the time for them to go into effect:
Update the Best Practices RFCs to incorporate some or all of these suggestions, so that Internet operators around the world can participate in solving the problem.
(N.B.: I want to point out that many USA-based cable operators are contributing to the problem by disallowing the use of NAT and VPN technologies in their apparent [alledged] quest to limit the broadband "Internet service product" to browsing and downloading files. I believe that such an attitude contributed to the problem, not the solution. I understand well the technical and business motivations for this, but I also believe that there are (U.S.) national security implications against such a policy. THINK!)
Are any of these ideas new? NO. The only new idea is to have the Lords Of The Internet use their influence over their customers to implement them more widely.
Good fences make good neighbors. The Internet is a neighborhood.
Does the cost of lost GLOBAL productivity (lost internet access in the workplace) and lost commerce (the ATMs going down) of this shizzah get get added to the total cost of ownership of MS products?
http://pcblues.com - Digits and Wood
...a lot of unemployed second-rate MS SQL admins should be hitting monster.com soon, if management have any sense whatsoever.
That these morons basically brought the internet to its knees Friday night through gross incompetence should be reason enough to fire every last one of 'em.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
cd /raid/8.0/updates
r edhat/linux/updates/8.0/en/os/i386/ -o logr edhat/linux/updates/8.0/en/os/i686/ -a log
/raid/8.0/updates/*.rpm | grep -v "md5 gpg OK"`
/raid/8.0/updates
wget -nd -nH --mirror --no-parent --passive ftp://ftp.mirror.ac.uk./sites/ftp.redhat.com/pub/
wget -nd -nH --mirror --no-parent --passive ftp://ftp.mirror.ac.uk./sites/ftp.redhat.com/pub/
saved=`grep saved log | grep -v ".listing"`
check=`rpm -K
if [ "$saved" ]
then
mail user1@domain.com user2@domain.com <<EOMAIL
New RedHat 8.0 RPMs downloaded onto `hostname`
Please update them:
$saved
$check
If there are any kernel updates, please run lilo before rebooting
EOMAIL
fi
Run this in the night some time.
When you come in, if you've got an email, run:
cd
rpm --freshen -vah *.i686.rpm
rpm --freshen -vah *.i386.rpm
Hey presto. Job done. And if you use Grub, you don't have to bother about running lilo.
Get your own free personal location tracker
Dissmising something because you know its flaws is not bigoted, it's reason. I can reasonably dismiss Microsoft Software from consideration based on their faulty development, distribution and security models. The process is so cumbersome and inferior that they themselves suffer. Why should I expect anyone else to do any better? Due to other problems, ultimately rooted in philisophical issues, I do not expect M$ to get any better any time soon. In fact, I expect things to get worse. Why would I ever trust their software with my data, time and effort? There's nothing M$ does that I can't do with free software, and there's much I can't do with M$ junk that free software does with ease. This is not a biggoted view, it's an application of experience and reason.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
If it is not cost effective for MS, which faces the highest damages from such incidents (think PR), to patch its own software, how can they argue it is cost effective for ANYONE to insure that everything gets patched?
It seems to me if one were to include the costs of patching, insuring everything gets patched, and the expected losses (I assume probality is inherently high in then non-Unix world) from the inevitable missed patch (or, nonexistent patch/late patch), MS TCO would go through the roof. Then again, maybe the entire concept of TCO doesn't matter when the most significant costs can be hidden from ignorant managers who act as the software purchasing agents of the company.
Sdelat' Ameriku velikoy Snova!
No linux vendor does anything like this; it's absolute insanity, and it's half the problem with MS admins (not) patching their software - they know better.
For years I was forced to run an IIS server which was outdated, unpatched, and very vulnerable. I couldn't update it because the service packs would break the software running on it - and the reason was that the service packs, while they fixed the vulnerabilities, also introduced all sorts of new features I did not need or want. So I was reduced to keeping a very watchful eye on it.
The entire infrastructure of Microsoft software distribution method is simply broken, and stupid.
Push the button Max!!!!
We actually had Slammer hit us through our client's network, which was not supposed to have any "extra" computers on it. We cannot install SP3 on that internal "isolated" network because the software that runs on top of it will break. It puts us between a rock and hard place. We have to wait for Honeywell to give us a patch to fix a Microsoft bug. Its like some bizarre bad dream.
10: PRINT "Everything old is new again."
20: GOTO 10
I would verify but the hotfix in question has an auto-extraing exe that as a part of the extraction process first checks if there is a compatible instance of SQL Server. There isn't even a readme with this file I noticed, and my presumption is that the exe automatically installs the hotfix (given that it has the brains to check that there is a compatible version as a first step), though I can't verify that as my instance is already SP3. I'm not saying you're wrong, but I am curious how the hotfix experience is for anyone else who grabbed that file.
Rick Devenuti, the chief information officer for the software giant... "We are not sure how the virus got into our network," Must have been terrorists! ... "It just takes one machine to get going," he said. "At any given point in time, it is hard to be 100 percent patched with any machine. We are working hard to make patch management easier. But 100 percent is a high bar and in this case we are not there."
Oh, it's too hard, that's it. Too bad they don't have a nice system like Debian's stable distro and apt-get upgrade to keep things all patched up. But wait, M$ patches break other software! It must just be impossible to keep them up.
I'm so sorry that I called those poor M$ admins losers. Blaming the user for your shitty software's failures is a Microsoft thing to do.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Although I respect Bruce Schneier (like he cares), I think it's pretty stupid to be quoted saying "This shows that the notion of patching doesn't work," without providing an alternative solution. I would love not to patch my servers, but perfect software just doesn't exist. What options do I have?
Microsoft incorrectly states in bulletin MS02-061 that SQL Server 7.0 and MSDE 1.0 are also affected by the worm.
While troubleshooting an issue related to the patch w/ MS phone support, the technician told me that 7.0 is not affected and the bulletin was incorrect.
It is entirely possible he was misinformed though.
. . . but maybe Microsoft thought those particular servers were still running BSD . . .
I'm not tense. I'm just terribly, terribly, alert.
SQL 7 is *not* succeptable to this vulnerability. SQL 7 doesn't use port 1434 for anything. That's new in SQL 2000. However, 7.0 is vulnerable to plenty of other things.
Oops. Slapper -> Slammer. My bad.
Alot of sysadmins were waiting for the SP to be released before even approaching this one, just because the patching process is so complex. They just waited a week too long
Although you fufilled Slashdot's "$" and "Winblows" quotas for the day in your post, why is this modded as Funny? Should be modded as "Totally Stupid and Untrue".
Pfft.
Not All Who Wander Are Lost
Would you rather have a system where you have to manually implement every patch, or would you rather have a system where you didn't have any choices which patches were implemented?
.NET and WMP 9 on your computer. The second choice would also automatically sign you on to whatever contrac--er...license agreements that came with the patches.
The first choice would lead to a lot more work. The second choice would have automatically installed
Power is like entropy. It always seeks to increase.
What's this Submit thingy do?
It's easy to blame someone for not having his/her systems patched. But i believe, that the average patch level on Windows Systems is higher than on Unix systems.
Most of the Unix (espescially servers) system just run and don't cause trouble. So nobody thinks of and patches them. A 1000+ days uptime is something to make a sysadmin proud and a security adviser weep.
As many Windopws sysadmins have trouble to debug their system in depth, in the case of problems they try to apply available patches first (second action taken after reboot). So, as Windows systems cause more trouble than Unix servers, they are better patched. Q.E.D.
Just kidding, Martin
Jan. 23, 2003
i beMe.asp?lcid=1033&id=155 to subscribe. If you don't wish to hear from us again, you need not do anything. We will not send you another executive email unless you choose to subscribe at the link above.
.NET through an incredibly vigorous design review, threat modeling and security push, and in the coming months we will be releasing other major products that have gone through our Trustworthy Computing security review cycle: Windows Server 2003, the next versions of SQL and Exchange Servers, and Office 11.
2 3security2.asp to help you make your computer systems more secure.
I'm writing to you about an issue of particular importance to those of us who routinely use computers in our work and personal lives - making computing more secure. Before I share my thoughts about this in more detail, I want to give you some context on why I am sending this email.
This is one in an occasional series of emails from Microsoft executives about technology and public-policy issues important to computer users, our industry, and anyone who cares about the future of high technology. If you would like to receive these emails in the future, please go to http://register.microsoft.com/subscription/subscr
******
As we increasingly rely on the Internet to communicate and conduct business, a secure computing platform has never been more important. Along with the vast benefits of increased connectivity, new security risks have emerged on a scale that few in our industry fully anticipated.
As everyone who uses a computer knows, the confidentiality, integrity and availability of data and systems can be compromised in many ways, from hacker attacks to Internet-based worms. These security breaches carry significant costs. Although many companies do not detect or report attacks, the most recent computer crime and security survey performed by the Computer Security Institute and the Federal Bureau of Investigation totaled more than $455 million in quantified financial losses in the United States alone in 2001. Of those surveyed, 74 percent cited their Internet connection as a key point of attack.
As a leader in the computing industry, Microsoft has a responsibility to help its customers address these concerns, so they no longer have to choose between security and usability. This is a long-term effort. As attacks on computer networks become more sophisticated, we must innovate in many areas - such as digital rights management, public key cryptology, multi-site authentication, and enhanced network and PC protection - to enable people to manage their information securely.
A year ago, I challenged Microsoft's 50,000 employees to build a Trustworthy Computing environment for customers so that computing is as reliable as the electricity that powers our homes and businesses today. To meet Microsoft's goal of creating products that combine the best of innovation and predictability, we are focusing on four specific areas: security, privacy, reliability and business integrity. Over the past year, we have made significant progress on all these fronts. In particular, I'd like to report on the advances we've made and the challenges we still face in the security area.
In order to realize the full potential of computers to advance e-commerce, enable new kinds of communication and enhance productivity, security will need to improve dramatically. Based on discussions with customers and our own internal reviews, it was clear that we needed to create a framework that would support the kind of innovation, state-of-the-art processes and cultural shifts necessary to make a fundamental advance in the security of our software products. In the past year we have created new product-design methodologies, coding practices, test procedures, security-incident handling and product-support processes that meet the objectives of this security framework:
SECURE BY DESIGN: In early 2002 we took the unprecedented step of stopping the development work of 8,500 Windows engineers while the company conducted 10 weeks of intensive security training and analyzed the Windows code base. Although engineers receive formal academic training on developing security features, there is very little training available on how to write secure code. Every Windows engineer, plus several thousand engineers in other parts of the company, was given special training covering secure programming, testing techniques and threat modeling. The threat modeling process, rare in the software world, taught program managers, architects and testers to think like attackers. And indeed, fully one-half of all bugs identified during the Windows security push were found during threat analysis.
We have also made important breakthroughs in minimizing the amount of security-related code in products that is vulnerable to attack, and in our ability to test large pieces of code more efficiently. Because testing is both time-consuming and costly, it's important that defects are detected as early as possible in the development cycle. To optimize which tests are run at what points in the design cycle, Microsoft has developed a system that prioritizes the application's given set of tests, based on what changes have been made to the program. The system is able to operate on large programs built from millions of lines of source code, and produce results within a few minutes, when previously it took hours or days.
The scope of our security reviews represents an unprecedented level of effort for software manufacturers, and it's begun to pay off as vulnerabilities are eliminated through offerings like Windows XP Service Pack 1. We also put Visual Studio
Looking ahead, we are working on a new hardware/software architecture for the Windows PC platform (initially codenamed "Palladium"), which will significantly enhance the integrity, privacy and data security of computer systems by eliminating many "weak links." For example, today anyone can look into a graphics card's memory, which is obviously not good if the memory contains a user's banking transactions or other sensitive information. Part of the focus of this initiative is to provide "curtained" memory - pages of memory that are walled off from other applications and even the operating system to prevent surreptitious observation - as well as the ability to provide security along the path from keyboard to monitor. This technology will also attest to the reliability of data, and provide sealed storage, so valuable information can only be accessed by trusted software components.
SECURE BY DEFAULT: In the past, a product feature was typically enabled by default if there was any possibility that a customer might want to use it. Today, we are closely examining when to pre-configure products as "locked down," meaning that the most secure options are the default settings. For example, in the forthcoming Windows Server 2003, services such as Content Indexing Service, Messenger and NetDDE will be turned off by default. In Office XP, macros are turned off by default. VBScript is turned off by default in Office XP SP1. And Internet Explorer frame display is disabled in the "restricted sites" zone, which reduces the opportunity for the frames mechanism in HTML email to be used as an attack vector.
SECURE IN DEPLOYMENT: To help customers deploy and maintain our products securely, we have updated and significantly expanded our security tools in the past year. Consumers and small businesses can stay up to date on security patches by using the automatic update feature of Windows Update. Last year, we introduced Software Update Services (SUS) and the Systems Management Server 2.0 SUS Feature Pack to improve patch management for larger enterprises. We released Microsoft Baseline Security Analyzer, which scans for missing security updates, analyzes configurations for poor or weak security settings, and advises users how to fix the issues found. We have also introduced prescriptive documents for Windows 2000 and Exchange to help ensure that customers can configure and deploy these products more securely. In addition, we are working with a number of major customers to implement smart cards as a way of minimizing the weak link associated with passwords. Microsoft itself now requires smart cards for remote access by employees, and over time we expect that most businesses will go to smart card ID systems.
COMMUNICATIONS: To keep customers better informed about security issues, we made several important changes over the past year. Feedback from customers indicated that our security bulletins, though useful to IT professionals, were too detailed for the typical consumer. Customers also told us they wanted more differentiation on security fixes, so they could quickly decide which ones to prioritize. In response, Microsoft worked with industry professionals to develop a new security bulletin severity rating system, and introduced consumer bulletins. We are also developing an email notification system that will enable customers to subscribe to the particular security bulletins they want.
WHAT'S NEXT
In the past decade, computers and networks have become an integral part of business processes and everyday life. In the Digital Decade we're now embarking on, billions of intelligent devices will be connected to the Internet. This fundamental change will bring great opportunities as well as new, constantly evolving security challenges.
While we've accomplished a lot in the past year, there is still more to do - at Microsoft and across our industry. We invested more than $200 million in 2002 improving Windows security, and significantly more on our security work with other products. In the coming year, we will continue to work with customers, government officials and industry partners to deliver more secure products, and to share our findings and knowledge about security. In the meantime, there are three things customers can do to help: 1) stay up to date on patches, 2) use anti-virus software and keep it up to date with the latest signatures, and 3) use firewalls.
There's much more I'd like to share with you about our security initiatives. If you would like to dig deeper, information and links are available at http://www.microsoft.com/mscorp/execmail/2003/01-
Bill Gates
For information about Microsoft's privacy policies, please go to: http://www.microsoft.com/info/privacy.htm
So... by announcing which ones have been running that long, they are announcing which ones are vulnerable to known attacks.
I guess they won't be on the list for long.... :)
frob
//TODO: Think of witty sig statement
Why was this port open to the internet in the first place? Shouldn't the database servers be behind the firewalls, and only accept connections from trusted hosts on the outside? the rapid spread of this worm seems to point so serious design problems with the networks at many companys. The Bank of America infection is particularly troubling.
I disagree about the difficulty in propagating the worm under IPv6. It might slow it down, but I was online when the worm hit and it was almost instant the way it consumed the backbones. I'd estimate that within 5-10 minutes the worm went from one end of the world to the other.
The scary thought for IPv6 to me is that it might slow down random IP propagation, but that would probably be inconsequential when compared with the increased number of spammers that would find new life and longevity in hiding amongst the exponentionally larger IP space.
Let's take it to a new level...
If a major motor manufacturer created a product line that lost the brakes when the temperature outside was -10 degrees and on an interstate, they would be liable.
If 90% of the population used that product line and people were getting hijacked by their own transportion, there would be hell to pay.
Now suppose that they say, "Hey! We released a recall two months ago? Didn't you take your car in to fix it? We made a post to our service centers, but you never saw it at the place you take your car? If you were running our brake-warming device (aka anti-virus software), you wouldn't have had this problem... if you were on a local road instead of an interstate, you never would have had this happen to you. Please buy more of our products. "
I know its outlandish, but there should be some responsibility here on the part of the vendor. There is economic damage from not patching stuff, but if the patch usually breaks your car, who's left to hold the bag?
Unless you are a mechanic and own a kit-car (aka Linux), you're tied in. That's not good.
T.
This space for rent.
It's not that bad really, I think later versions of the patch even included a batch file to copy stuff around for you. Even without it, it only took 10 minutes... I mean really, if somebody can't handle this kind of stuff should they really be an admin?
Some have said they applied the patch and still were vunerable.
Yeah you have to be careful with this stuff, if you apply patches in the wrong order you can sometimesend up with the vulnerable code still there. I know a _really_ good admin that got hit with Code Red because of that. The correct order can sometimes be a bit of a mystery.
Some have said the patch fucked their server.
That's the big problem with this situation. I can understand why people don't have this patch or SP3 installed. You really never know what one of these things is going to do. It is common for amins to schedule a 3 hour downtime to roll something like this in, even if they have tested the hell out of it. You need time to get the damn thing back out if it screws stuff up. I deployed W2K SP3 onto my terminal servers a few months ago and it broke Office on every one of them. It didn't do that when I tested it, took me hours to clean it up.
There's no excuse. Just because it is harder to install than a simple windows update package isn't any kind of reason not to update.
I agree, however...
Microsoft has argued for a long time that Windows is easier to administer (than UNIX/Linux), and that you don't need to hire an expensive, trained admin (which I assume they are referring to UNIX admins, but aren't MCSE expensive, trained admins, all jokes about the quality of MCSEs aside?).
So here we are with MS SQL Server, which is supposed to be an enterprise quality database system... but it has no intuitive interface for installing patches. So either we have a real DBA, who should know how to do these patches, or we have a power user to manage the database through a better interface to keep up to date on patches.
Either it's easy and you don't need an admin, or it's difficult and you do need a trained admin. SQL Server updates can't be as "complex" as they currently are if Microsoft is going to claim that anyone can admin a Microsoft server product.
Granted, they may not be making the claim that SQL Server is easy to administer, but what are the customers going to think? If Windows is "easy" (or so says the advertising), then SQL Server must be easy too! They both have little wizards to automate tasks, they both have a graphic interface for management...
... is that oopses like this one have exactly zero impact on their market share, companies' acceptance of MS "solutions" etc... This is not a free market as known for ages, definitely.
Most modern servers are GHz+ boxes, and this worm saturated some 100 MBit links.
My friend, like so many people you simply do not understand large numbers.
Even for billions of computers, the IPv6 address space is so large that it would be extremely sparse. How sparse? Well, let's suppose that you have a 100Mbit link completely filled with 384-byte UDP packets, each with a different, random, address. Let's further suppose that there are 2^32 addresses in use (which is many times what are in use now). From that, we can calculate the average time it would take for slapper on a 100Mbit link to find a single valid address.
100Mbps = 12.5MBps = 32,500 packets per second.
The odds of a random address being valid are 2^128/2^32 = 2^96, so on average, one address will "hit" every 2^96/32500 seconds. A little arithmetic shows that this equates to one hit every 8x10^16 *years*. A slow-moving worm, indeed.
Someone will point out that this calculation is not really fair, because those 2^128 addresses aren't going to be uniformly distributed, and worm writers would know that some of them are impossible. However, the way in which they're going to be distributed won't necessarily make them easy to guess. For example, the bottom 48 bits of your IPv6 address may end up being your hardware MAC address, or a self-chosen random value. Let's be nice and suppose that the worm writer can accurately guess 48 bits. This means that on average an address will hit once every 274 years. Still not likely to be a threat. To make the worm effective, we *also* need to give it a 1Tbit link, which would allow it to find a new host every 13 seconds, on average.
By way of comparison, a slapper saturating a 1Tbit link could blanket the *entire* IPv4 address space in 13 seconds. IOW, a single machine with that kind of a network connection (and the ability to fill it) could find and infect every Internet-accessible IPv4 host more or less instantly.
Nope, I think it's safe to say that with IPv6 worms will no longer be able to make random guesses. That's not to say that there won't be other ways for them to get "good" addresses to probe, but it'll have to be a lot better than random guessing.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
1) Went to a news site (MSNBC? I forget...) - decided to try running a video - told me it needed the Microsoft plugin, sent me to Microsoft site to download Media Player 9.
2) Said okay, what the hell, I'll get it, EULA or no, downloaded, installed.
3) Broke my wallpaper changer - began giving me divide by zero errors when I changed wallpaper. Why? Who knows?
4) PowerPro began to crash on reboot for the wallpaper thingy... Why? Who knows?
5) Uninstalled Media Player 9.
10)Uninstalled WallMaster, reinstalled WallMaster.
11)WallMaster and PowerPro problem go away.
12)Irony - Even after I installed Media Player 9, the fuckin' news site STILL SAID I NEEDED THE PLUGIN!
Fucking morons...
Within the next six months, I intend to go Linux only and wipe fraggin' Microcrap off the disk...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
You know, I'm having a good laugh here..
... hey, if you can't drive the bus, get off the road.
/apt-get etc....
"They make too much stuff to bother standardizing versionning info"
Linux: rpm -qa
Microsoft: "sorry we can't do that it's too hard"
rofl
And you didn't even address my original post.
The entire internet went down on Saturday but it seems Microsoft bears no blame in your eyes. If that isn't a pure unadulterated example of the arrogance displayed by Microsoft I don't know what is.
If I wrote shit that barfed all over the internet like that, I'd be begging on my knees for forgiveness from my customers-- not giving them the "you're all morons speech". Actually I'd be outta a job.
I think you're the troll here. You should be proud. It's not too often a troll gets +5.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
You have to assume there *are* holes in application software such as SQL server due to its complexity.
Taking a reactive approach, and simply installing hotfixes are they're available will simply not work - patches are often not available until a number of days/weeks/months until after the vulnerability is known. Even if it hasn't been fully disclosed, the blackhats may well know about it, or be prompted to scrutinize that particular product more and find it before the full announcement.
The correct way to deploy such products is to design your network with this in mind, and firewall them off from the rest of the world.
That does NOT give you the security to not worry about patching (single layer security is bad) - keep your servers patched - but it does buy you a little time, and is an extra layer of defense in case there is a server that doesn't patch properly for some reason (file couldn't be overwritten for example), or is accidentally forgotten about.
I can think of *no reason* why an SQL server must be accessible to the world. You have a webserver that uses it as a back-end? Give the public access to port 80/443 of that ONLY, and disallow connections from anywhere but localhost to the SQL software. Even better (and the approach I always take - I don't trust Win-X to be visible to the internet, period), install it on a seperate physical machine, firewall that machine more tightly (ie, allow SQL connections ONLY from machines that require them, such as your webserver).
If you have client machines that need to access the database from the internet, thats what VPNs are for.
Since I've had enough sense to firewall my servers correctly (yes, I was a clueless idiot before as well ;), I have not had a single security breach.
I'm not saying that I'm definately immune to a concentrated attack, but you can definately stack the odds in your favour.
Yes, it is an investment in time, and probably money - but if you want a secure network, its simply the price you have to pay these days... how much is your data/uptime worth?
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Patches? Patches? We don't need not stinking patches!