Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Experts: Microsoft security gets an 'F'
Reuters (via CNN) ^ | 2/1/2003 | Staff

Posted on 02/01/2003 10:04:19 PM PST by B Knotts

Edited on 04/29/2004 2:02:01 AM PDT by Jim Robinson. [history]

SAN FRANCISCO, California (Reuters) -- Computer security experts say the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft's year-old security push is not working.

"Trustworthy Computing is failing," Russ Cooper of TruSecure Corp. said of the Microsoft initiative. "I gave it a 'D-minus' at the beginning of the year, and now I'd give it an 'F."'


(Excerpt) Read more at edition.cnn.com ...


TOPICS: Business/Economy; Technical
KEYWORDS: bugs; exploits; microsoft; security; vunerabilities

1 posted on 02/01/2003 10:04:19 PM PST by B Knotts
[ Post Reply | Private Reply | View Replies]

To: ShadowAce; TechJunkYard; rdb3; stainlessbanner
*ping*
2 posted on 02/01/2003 10:05:45 PM PST by B Knotts
[ Post Reply | Private Reply | To 1 | View Replies]

To: B Knotts
"Is that because Macs are safer? I think the answer is yeah."

Umm...no. The reason is because a malicious Mac virus wouldn't make the news. Who cares if something only impacts a really small amount of computers? MS or the hacking community found a problem with SQL. It was reported and a fix made available. There are plenty of ways to test patches or communicate with the online security community to verify if anything will be impacted by a new patch. Admins were lazy and are blaming MS instead of themselves.

3 posted on 02/02/2003 5:10:17 AM PST by zx2dragon (And yes, I have administrated MS servers including SQL)
[ Post Reply | Private Reply | To 1 | View Replies]

To: B Knotts
Looks like a duplicate of this post... only the title is changed.
4 posted on 02/02/2003 5:59:46 AM PST by TechJunkYard (via Cherie)
[ Post Reply | Private Reply | To 1 | View Replies]

To: B Knotts
Odd, that when the advantages of Open systems are being touted, one of them is that fixes are readily available. The slammer fix was available six months before the attack. In fact the vulnerability was discussed here on FR. So every shop sophisticated enough to have SQL Server should have known about the problem and been looking for the fix.

I might add that having SQL server without the fix is not sufficient to get slammed. The small company I work for has not yet installed the patch, but it has a firewall. If the SQL ports are blocked, slammer can't get in.

So you have to have SQL server installed, it must be exposed to the internet, AND you must ignore security warnings for six months.

5 posted on 02/02/2003 6:16:05 AM PST by js1138
[ Post Reply | Private Reply | To 1 | View Replies]

To: TechJunkYard; Admin Moderator
Indeed it is a dupe. I hadn't noticed that. Moderator, can you nuke this thread?
6 posted on 02/02/2003 6:29:23 AM PST by B Knotts
[ Post Reply | Private Reply | To 4 | View Replies]

To: zx2dragon
MS or the hacking community found a problem with SQL. It was reported and a fix made available. There are plenty of ways to test patches or communicate with the online security community to verify if anything will be impacted by a new patch.

Seems to me that those who write the patches should be testing them an advising users of any problems they may cause. For the 'greatest software company in the universe' to release untested patches seems to me to be very irresponsible. It is this irresponsibility that is part of the reason why people fear applying patches to their systems.

7 posted on 02/02/2003 6:49:04 AM PST by gore3000
[ Post Reply | Private Reply | To 3 | View Replies]

To: gore3000
Actually, I haven't had a big problem of a patch breaking MS software (yes, it has happened), but third party software that a company may use. One paticular POS program I had to deal with plugged into Exchange, SQL and the DC. Needless to say, patches were done only every few months and the program was eventually scrapped.
8 posted on 02/02/2003 9:15:55 AM PST by zx2dragon
[ Post Reply | Private Reply | To 7 | View Replies]

To: js1138
So you have to have SQL server installed, it must be exposed to the internet, AND you must ignore security warnings for six months.

Stop! Combined with all the trolls screaming, your reasonable logic is deafening! ;-)
9 posted on 02/02/2003 1:32:50 PM PST by Bush2000
[ Post Reply | Private Reply | To 5 | View Replies]

To: gore3000
Seems to me that those who write the patches should be testing them an advising users of any problems they may cause.

It would help if you'd actually read the release notes...

http://support.microsoft.com/default.aspx?scid=/support/servicepacks/SQL/2000/SP3ReadMe.asp
10 posted on 02/02/2003 1:35:55 PM PST by Bush2000
[ Post Reply | Private Reply | To 7 | View Replies]

To: B Knotts
Microsoft software products mimic the U.S. borders !!!
11 posted on 02/02/2003 1:49:50 PM PST by GeekDejure
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeekDejure
Microsoft software products mimic the U.S. borders !!!

Open source crapware is pretty porous, too ...

http://www.nwfusion.com/newsletters/bug/2003/0120bug2.html
https://rhn.redhat.com/errata/RHSA-2003-006.html
https://rhn.redhat.com/errata/RHSA-2002-288.html
https://rhn.redhat.com/errata/RHSA-2003-001.html

...

etc, etc. If I had to list them all, it would take all day...
12 posted on 02/02/2003 2:02:34 PM PST by Bush2000
[ Post Reply | Private Reply | To 11 | View Replies]

To: Bush2000
It would help if you'd actually read the release notes...

Guess the administrators using these products do not install releases because they are lazy? Guess they insist on testing because they want to do more work? Reading the release notes does not help your case. Why do they want you to backup your work if the stuff has been tested? Why would someone want to back out of an update if it has been properly tested? Just look at all the garbage they write on this stuff. It is just a long disclaimer. If the below notes do not scare you, they sure would scare most people:

3.1 Back Up Your SQL Server Databases

The following information applies to all component installations except database client components.

Before installing either Database Components SP3 or Desktop Engine SP3, back up the master, msdb, and model databases. Installing SP3 modifies the master, msdb, and model databases, making them incompatible with pre-SP3 versions of SQL Server. These backups are required if you decide to reinstall SQL Server 2000 without SP3.

It is also prudent to back up your user databases, although SP3 performs updates only on user databases that are members of replication topologies.

13 posted on 02/02/2003 2:30:24 PM PST by gore3000
[ Post Reply | Private Reply | To 10 | View Replies]

To: gore3000
Guess the administrators using these products do not install releases because they are lazy? Guess they insist on testing because they want to do more work?

There's no excuse for not applying security patches, bub. Especially when it's been 6 months. I mean, for chrissakes, use a damned firewall to mitigate the risk at the very least...
14 posted on 02/02/2003 7:13:32 PM PST by Bush2000
[ Post Reply | Private Reply | To 13 | View Replies]

To: B Knotts
I am thinking of finally breaking down and buying XP for this computer, simply because Windows ME is so unstable. But, I hate product activation, and I hate the fact that MS tells me that Norton Antivirus is incompatible.

I'm starting to get torqued, and I've been a loyal customer.

15 posted on 02/02/2003 7:16:31 PM PST by Dog Gone
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
There's no excuse for not applying security patches, bub.

There is when they come out every day. There is when they have to be tested by the consumer because MS itself admits that it has not. There is when MS itself, 'the greatest software company in the world' does not follow its own advise.

16 posted on 02/02/2003 7:20:59 PM PST by gore3000
[ Post Reply | Private Reply | To 14 | View Replies]

To: gore3000
There is when they come out every day.

Reference?
17 posted on 02/03/2003 1:10:20 AM PST by Bush2000
[ Post Reply | Private Reply | To 16 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson