Microsoft fails Slammer's security test

News.com ^ | January 27, 2003, 4:27 PM PT | By Robert Lemos

[shadowman99]

Front Door | Enterprise | Search | One Week View

http://www.news.com

Microsoft fails Slammer's security test

By

Robert Lemos

Staff Writer, CNET News.com

January 27, 2003, 4:27 PM PT

http://news.com.com/2100-1001-982305.html

Microsoft's policy of relying on software patches to fix major security flaws was questioned Monday after a series of internal e-mails revealed that the software giant's own network wasn't immune from a worm that struck the Internet last weekend.

		Special Report Code Red for security Virulent worm calls into doubt our ability to protect the Net.

The messages seen by CNET News.com portray a company struggling with a massive infection by the SQL Slammer worm, which inundated many corporate networks Saturday with steady streams of data that downed Internet connections and clogged bandwidth.

"All apps and services are potentially affected and performance is sporadic at best," Mike Carlson, director of data center operations for Microsoft's Information Technology Group, stated in an e-mail sent at 8:04 a.m. PST Saturday to other members of Microsoft's operations groups. "The network is essentially flooded with traffic, making it difficult to gather details concerning the impact."

The messages put Microsoft in an awkward position: The company relies on customers to patch security flaws but the events of last weekend show that even it is vulnerable. In this case, Microsoft urged customers to fix a vulnerability in the SQL Server 2000 software, but it apparently hadn't taken its own advice. Moreover, despite its 1-year-old security push, the software giant still had critical servers vulnerable to Internet attacks.

"This shows that the notion of patching doesn't work," said Bruce Schneier, chief technology officer for network protection firm Counterpane Internet Security. "Publicly, they are saying it's not our fault, because you should have patched. But Microsoft's own actions show that you can't reasonably expect people to be able to keep up with patches."

For years, system administrators have complained about their inability to keep up with the steady stream of patches that have poured out of Microsoft and other software companies. In October, the software giant even raised the bar for what's considered a "critical" vulnerability, so that administrators wouldn't have to deal with so many patches that seemingly required immediate attention.

“Seems like every time I install a system patch, something else goes wrong with my system,” said Frank Beier, president of Web design firm Dynamic Webs. The designer said many system administrators won’t patch for many months, because they don’t trust Microsoft to fix the problem without breaking some other function of the software.

“In most cases, I'm better off just playing Russian roulette with the hackers until our servers are broken into,” he said.

In the case of SQL Slammer, it seemed that Microsoft had done it right. The company had informed customers six months earlier about a flaw and included patches in both a roll-up patch--a software update that includes all the latest patches--and in the company's latest service pack for Microsoft SQL Server 2000.

But even within Microsoft, something went wrong.

"At approximately, 10:00 p.m. (PST, Friday), traffic on the corporate network jumped dramatically, eventually bringing all services to a crawl," stated Carlson's memo. "The root cause appears at this time to be a virus attacking SQL."

		Help and How-to SQL Slammer worm How to recognize and prevent the virus.

On Saturday, the Microsoft's Windows XP Activation service was down, not because the servers were vulnerable, but because the company's internal network was inundated with junk data, Rick Devenuti, the chief information officer for the software giant, said in an interview Monday.

"We are not sure how the virus got into our network," he said.

That the company has SQL servers on the desktop is not surprising, he added. Many of its developers run the database on their PCs, and other test machines have vulnerable databases installed to replicate customer networks. Devenuti didn't know how the worm got into the system to affect those servers, however.

"It just takes one machine to get going," he said. "At any given point in time, it is hard to be 100 percent patched with any machine. We are working hard to make patch management easier. But 100 percent is a high bar and in this case we are not there."

News.com's Stephen Shankland contributed to this report.

[shadowman99]

Paging BUSH2000!!!! HAHAHAHA!!!!!

[Stentor]

LOL.

[TomServo]

Already posted here.

[shadowman99]

Different news source.

[shadowman99]

Never mind. Admin, please remove.

[Illbay]

Er, excuse me, but how do MOST OSes deal with security problems? Through software patches. That's true whether the OS is Microsoft's, or a Linux distribution put out by Red Hat.

Is the author suggesting that MS Windows needs to be rewritten from the ground up to "anticipate" security flaws? If so, wouldn't THAT in itself be a "software patch," albeit on a grand scale?

I find this criticism curious (and keep in mind I'm someone who just blew Windows XP Pro off his desktop system and installed Red Hat).

[HadEnough]

"steady stream of patches"

Microsoft has a "steady stream of patches" for most any software they release. THAT IS THE REAL PROBLEM.

I don't have access to the various and sundry MS product defect tracking systems, nor do I have any idea about how Microsoft is attempting to analyze their non-stop stream of bugs that SLAM their customer base.

What I do have is MANY friends in Seattle Area software quality assurance circles who work at MS or contract there. They tell me that MS has severe problems with "We are the best and the brightest, therefore WE dont' make serious software mistakes" and...Not-Invented-Here means only WE know how to do REAL software engineering.

This attitude of elitist arrogance is a sure fire formula for disaster.

I have been watching all the MS spokespeople WHINING about how "if only the system administrators" had installed the last 200 patches this SLAMMER thang could have been avoided.

This Microsoft arrogance AND incompetence will taper off WHEN lawyers succesfully siphon off their money in court!

[oldcomputerguy]

The problem is that MSFT cannot provide patches that fix
problems w/o creating other problems on a reliable basis.
That leads to reluctance to install them by everyone including
apparently their own employees.

If patches fixed problems, were easy to install and
did not create other problems, people would install them
and not have this problem. Their s/w architecture is apparently so
mucked up internally that even they can't keep a handle on it.

[Clive]

Er, excuse me, but how do MOST OSes deal with security problems? Through software patches. That's true whether the OS is Microsoft's, or a Linux distribution put out by Red Hat.

Here is the point of the article:

The messages put Microsoft in an awkward position: The company relies on customers to patch security flaws but the events of last weekend show that even it is vulnerable. In this case, Microsoft urged customers to fix a vulnerability in the SQL Server 2000 software, but it apparently hadn't taken its own advice. Moreover, despite its 1-year-old security push, the software giant still had critical servers vulnerable to Internet attacks.

[Clive]

Good thing that Free Republic is using a linux Apache server.

[HAL9000]

Good thing that Free Republic is using a linux Apache server.

Yep. FR was up and running 24/7 while Microsoft-based sites like Lucianne.com were knocked off the Internet for several hours.

Here is what Lucianne.com visitors saw -

Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [Microsoft][ODBC SQL Server Driver][Shared Memory]General network error. Check your network documentation.

Only a few weeks ago, their Microsoft database containing their user registrations got nuked and now they're struggling to re-register tens of thousands of records.

Lucianne has gotten hoodwinked several times by shady computer consultants who promised her Microsoft was the best way to go.

[jammer]

Microsoft could rewrite from scratch, but the time to market would be huge and we might be back where we started. Microsoft could take Linux and "prettify" it, but it would be difficult to have the proprietary domination they have now. Or, a third alternative is that Microsoft could purchase OS/2 from IBM and work with that as a kernel.

All that is, of course, tongue in cheek.

[Illbay]

Thanks, I did get that part. But although you have to wonder at the irony of it, I still don't see how MS is much different from even the open software crowd in this department.