Experts: Microsoft security gets an 'F'

Reuters (via CNN) ^ | 2/1/2003 | Staff

[B Knotts]

SAN FRANCISCO, California (Reuters) -- Computer security experts say the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft's year-old security push is not working.

"Trustworthy Computing is failing," Russ Cooper of TruSecure Corp. said of the Microsoft initiative. "I gave it a 'D-minus' at the beginning of the year, and now I'd give it an 'F."'

[B Knotts]

*ping*

[zx2dragon]

"Is that because Macs are safer? I think the answer is yeah."

Umm...no. The reason is because a malicious Mac virus wouldn't make the news. Who cares if something only impacts a really small amount of computers? MS or the hacking community found a problem with SQL. It was reported and a fix made available. There are plenty of ways to test patches or communicate with the online security community to verify if anything will be impacted by a new patch. Admins were lazy and are blaming MS instead of themselves.

[TechJunkYard]

Looks like a duplicate of this post... only the title is changed.

[js1138]

Odd, that when the advantages of Open systems are being touted, one of them is that fixes are readily available. The slammer fix was available six months before the attack. In fact the vulnerability was discussed here on FR. So every shop sophisticated enough to have SQL Server should have known about the problem and been looking for the fix.

I might add that having SQL server without the fix is not sufficient to get slammed. The small company I work for has not yet installed the patch, but it has a firewall. If the SQL ports are blocked, slammer can't get in.

So you have to have SQL server installed, it must be exposed to the internet, AND you must ignore security warnings for six months.

[B Knotts]

Indeed it is a dupe. I hadn't noticed that. Moderator, can you nuke this thread?

[gore3000]

MS or the hacking community found a problem with SQL. It was reported and a fix made available. There are plenty of ways to test patches or communicate with the online security community to verify if anything will be impacted by a new patch.

Seems to me that those who write the patches should be testing them an advising users of any problems they may cause. For the 'greatest software company in the universe' to release untested patches seems to me to be very irresponsible. It is this irresponsibility that is part of the reason why people fear applying patches to their systems.

[zx2dragon]

Actually, I haven't had a big problem of a patch breaking MS software (yes, it has happened), but third party software that a company may use. One paticular POS program I had to deal with plugged into Exchange, SQL and the DC. Needless to say, patches were done only every few months and the program was eventually scrapped.

[Bush2000]

So you have to have SQL server installed, it must be exposed to the internet, AND you must ignore security warnings for six months.

Stop! Combined with all the trolls screaming, your reasonable logic is deafening! ;-)

[Bush2000]

Seems to me that those who write the patches should be testing them an advising users of any problems they may cause.

It would help if you'd actually read the release notes...

http://support.microsoft.com/default.aspx?scid=/support/servicepacks/SQL/2000/SP3ReadMe.asp

[GeekDejure]

Microsoft software products mimic the U.S. borders !!!

[Bush2000]

Microsoft software products mimic the U.S. borders !!!

Open source crapware is pretty porous, too ...

http://www.nwfusion.com/newsletters/bug/2003/0120bug2.html
https://rhn.redhat.com/errata/RHSA-2003-006.html
https://rhn.redhat.com/errata/RHSA-2002-288.html
https://rhn.redhat.com/errata/RHSA-2003-001.html

...

etc, etc. If I had to list them all, it would take all day...

[gore3000]

It would help if you'd actually read the release notes...

Guess the administrators using these products do not install releases because they are lazy? Guess they insist on testing because they want to do more work? Reading the release notes does not help your case. Why do they want you to backup your work if the stuff has been tested? Why would someone want to back out of an update if it has been properly tested? Just look at all the garbage they write on this stuff. It is just a long disclaimer. If the below notes do not scare you, they sure would scare most people:

3.1 Back Up Your SQL Server Databases

The following information applies to all component installations except database client components.

Before installing either Database Components SP3 or Desktop Engine SP3, back up the master, msdb, and model databases. Installing SP3 modifies the master, msdb, and model databases, making them incompatible with pre-SP3 versions of SQL Server. These backups are required if you decide to reinstall SQL Server 2000 without SP3.

It is also prudent to back up your user databases, although SP3 performs updates only on user databases that are members of replication topologies.

[Bush2000]

Guess the administrators using these products do not install releases because they are lazy? Guess they insist on testing because they want to do more work?

There's no excuse for not applying security patches, bub. Especially when it's been 6 months. I mean, for chrissakes, use a damned firewall to mitigate the risk at the very least...

[Dog Gone]

I am thinking of finally breaking down and buying XP for this computer, simply because Windows ME is so unstable. But, I hate product activation, and I hate the fact that MS tells me that Norton Antivirus is incompatible.

I'm starting to get torqued, and I've been a loyal customer.

[gore3000]

There's no excuse for not applying security patches, bub.

There is when they come out every day. There is when they have to be tested by the consumer because MS itself admits that it has not. There is when MS itself, 'the greatest software company in the world' does not follow its own advise.

[Bush2000]

There is when they come out every day.

Reference?