Skip to comments.
Experts: Microsoft security gets an 'F'
Reuters (via CNN) ^
| 2/1/2003
| Staff
Posted on 02/01/2003 10:04:19 PM PST by B Knotts
Edited on 04/29/2004 2:02:01 AM PDT by Jim Robinson.
[history]
SAN FRANCISCO, California (Reuters) -- Computer security experts say the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft's year-old security push is not working.
"Trustworthy Computing is failing," Russ Cooper of TruSecure Corp. said of the Microsoft initiative. "I gave it a 'D-minus' at the beginning of the year, and now I'd give it an 'F."'
(Excerpt) Read more at edition.cnn.com ...
TOPICS: Business/Economy; Technical
KEYWORDS: bugs; exploits; microsoft; security; vunerabilities
1
posted on
02/01/2003 10:04:19 PM PST
by
B Knotts
To: ShadowAce; TechJunkYard; rdb3; stainlessbanner
*ping*
2
posted on
02/01/2003 10:05:45 PM PST
by
B Knotts
To: B Knotts
"Is that because Macs are safer? I think the answer is yeah." Umm...no. The reason is because a malicious Mac virus wouldn't make the news. Who cares if something only impacts a really small amount of computers? MS or the hacking community found a problem with SQL. It was reported and a fix made available. There are plenty of ways to test patches or communicate with the online security community to verify if anything will be impacted by a new patch. Admins were lazy and are blaming MS instead of themselves.
3
posted on
02/02/2003 5:10:17 AM PST
by
zx2dragon
(And yes, I have administrated MS servers including SQL)
To: B Knotts
Looks like a duplicate of
this post... only the title is changed.
4
posted on
02/02/2003 5:59:46 AM PST
by
TechJunkYard
(via Cherie)
To: B Knotts
Odd, that when the advantages of Open systems are being touted, one of them is that fixes are readily available. The slammer fix was available six months before the attack. In fact the vulnerability was discussed here on FR. So every shop sophisticated enough to have SQL Server should have known about the problem and been looking for the fix.
I might add that having SQL server without the fix is not sufficient to get slammed. The small company I work for has not yet installed the patch, but it has a firewall. If the SQL ports are blocked, slammer can't get in.
So you have to have SQL server installed, it must be exposed to the internet, AND you must ignore security warnings for six months.
5
posted on
02/02/2003 6:16:05 AM PST
by
js1138
To: TechJunkYard; Admin Moderator
Indeed it is a dupe. I hadn't noticed that. Moderator, can you nuke this thread?
6
posted on
02/02/2003 6:29:23 AM PST
by
B Knotts
To: zx2dragon
MS or the hacking community found a problem with SQL. It was reported and a fix made available. There are plenty of ways to test patches or communicate with the online security community to verify if anything will be impacted by a new patch. Seems to me that those who write the patches should be testing them an advising users of any problems they may cause. For the 'greatest software company in the universe' to release untested patches seems to me to be very irresponsible. It is this irresponsibility that is part of the reason why people fear applying patches to their systems.
7
posted on
02/02/2003 6:49:04 AM PST
by
gore3000
To: gore3000
Actually, I haven't had a big problem of a patch breaking MS software (yes, it has happened), but third party software that a company may use. One paticular POS program I had to deal with plugged into Exchange, SQL and the DC. Needless to say, patches were done only every few months and the program was eventually scrapped.
8
posted on
02/02/2003 9:15:55 AM PST
by
zx2dragon
To: js1138
So you have to have SQL server installed, it must be exposed to the internet, AND you must ignore security warnings for six months.
Stop! Combined with all the trolls screaming, your reasonable logic is deafening! ;-)
9
posted on
02/02/2003 1:32:50 PM PST
by
Bush2000
To: gore3000
10
posted on
02/02/2003 1:35:55 PM PST
by
Bush2000
To: B Knotts
Microsoft software products mimic the U.S. borders !!!
To: GeekDejure
12
posted on
02/02/2003 2:02:34 PM PST
by
Bush2000
To: Bush2000
It would help if you'd actually read the release notes... Guess the administrators using these products do not install releases because they are lazy? Guess they insist on testing because they want to do more work? Reading the release notes does not help your case. Why do they want you to backup your work if the stuff has been tested? Why would someone want to back out of an update if it has been properly tested? Just look at all the garbage they write on this stuff. It is just a long disclaimer. If the below notes do not scare you, they sure would scare most people:
3.1 Back Up Your SQL Server Databases
The following information applies to all component installations except database client components.
Before installing either Database Components SP3 or Desktop Engine SP3, back up the master, msdb, and model databases. Installing SP3 modifies the master, msdb, and model databases, making them incompatible with pre-SP3 versions of SQL Server. These backups are required if you decide to reinstall SQL Server 2000 without SP3.
It is also prudent to back up your user databases, although SP3 performs updates only on user databases that are members of replication topologies.
13
posted on
02/02/2003 2:30:24 PM PST
by
gore3000
To: gore3000
Guess the administrators using these products do not install releases because they are lazy? Guess they insist on testing because they want to do more work?
There's no excuse for not applying security patches, bub. Especially when it's been 6 months. I mean, for chrissakes, use a damned firewall to mitigate the risk at the very least...
14
posted on
02/02/2003 7:13:32 PM PST
by
Bush2000
To: B Knotts
I am thinking of finally breaking down and buying XP for this computer, simply because Windows ME is so unstable. But, I hate product activation, and I hate the fact that MS tells me that Norton Antivirus is incompatible.
I'm starting to get torqued, and I've been a loyal customer.
15
posted on
02/02/2003 7:16:31 PM PST
by
Dog Gone
To: Bush2000
There's no excuse for not applying security patches, bub. There is when they come out every day. There is when they have to be tested by the consumer because MS itself admits that it has not. There is when MS itself, 'the greatest software company in the world' does not follow its own advise.
16
posted on
02/02/2003 7:20:59 PM PST
by
gore3000
To: gore3000
There is when they come out every day.
Reference?
17
posted on
02/03/2003 1:10:20 AM PST
by
Bush2000
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson