Boeing, other companies make Microsoft 'Slammer' fix
By Dina Bass / Bloomberg News
NEW YORK -- Verizon Communications Inc., Boeing Co. and other companies installed a six-month old patch to repair a flaw in Microsoft Corp.'s database software to block a worm that slowed access to some Web sites this weekend.
Microsoft, the world's biggest software maker, said the "Slammer" worm exploits a weakness in its SQL Server 2000 and MSDE 2000 programs to replicate and flood networks with requests for data. A fix has been available since July, and Microsoft put an easier-to-install version on its Web site Saturday.
The glitch didn't harm computers, and some of the busiest Web sites including EBay Inc., Amazon.Com Inc. and AOL Time Warner Inc. reported no problems because they installed patches after the similar "Code Red" bug struck machines in July 2001, security experts said. Some companies failed to update patches because of cost and complexity, said Chris Rouland, a research executive at software maker Internet Security Systems Inc.
"Chief information officers are faced with a deluge of patches, and it becomes an issue of prioritization, and it's very expensive," Rouland said. A consultant charges about $100 an hour and takes about two hours to fix each server, he said.
There were about 1 billion attacks an hour at the peak this weekend, and about 200,000 to 250,000 machines have been affected by "Slammer," Rouland estimated.
"This is not about a wakeup call," said Simon Perry, vice president of security strategies at Computer Associates International Inc., the world's fifth-largest software maker. "The wakeup call came six months ago" when Microsoft issued the patch. "It's time for people to get out of bed."
Computer worms spread by attacking a system while a virus is spread through the exchange of files. Worms are similar to viruses because they make copies of themselves.
Verizon, the second-largest U.S. provider of fast Web access over telephone lines, had some internal systems slow, spokesman Mark Marchand said. Verizon's phone system was unaffected, and the company made the fix this weekend, he said.
Bank of America Corp. customers were unable to withdraw money from its 13,000 cash machines for a few hours Saturday because of problems related to the worm. Bank One Corp. clients couldn't view credit card account summaries on the Web for "several hours" on Saturday and it was fixed by noon that day, said spokesman Tom Kelly. He said Bank One had no problems with its ATM network.
Boeing shut 2,000 server computers over the weekend to contain the worm, said Bob Jorgensen, a Boeing spokesman. The company had been in the process of testing the patch to make sure it was compatible with Boeing systems and had planned to install it soon. The worm didn't cause production delays or delivery problems, and all computers are running, Jorgensen said.
Ford Motor Co., one of Microsoft's biggest customers, "saw signs of the worm activity," said Ford spokeswoman Christina Camilli. "But nothing major and it didn't disrupt production or critical applications."
There is no evidence that terrorists launched the worm, though it appears a person or a group deliberately targeted companies that failed to install the patch, security experts said.
"It was definitely not by accident," said Vincent Gullotto, a senior research director for security-software maker Network Associates Inc.'s Antivirus Response Team.
The Federal Bureau of Investigation is monitoring the worm and trying to identify the cause, White House spokeswoman Tiffany Olson said this weekend. The type of worm had been detected as early as May 2002 and "the onus has been on the ISPs and company systems administrators to take preventative action to keep this from happening," Olson said.
Microsoft's SQL Server, which competes with Oracle Corp.'s 9i program and International Business Machines Corp.'s DB2 software, is the most popular database for machines that run the Windows operating system, according to research firm Gartner Inc.
Microsoft is calling customers to make sure they have installed the patch, spokesman Rick Miller said. "As people were waking up, there was some concern there would be another hard hit as people came back on line. That doesn't seem to have manifested itself."
Frequent security flaws are crimping Microsoft's ability to sell more programs for running the busiest corporate networks and Web sites, analysts and customers have said. Companies who lack the time and money to apply security updates as they are released should avoid Microsoft products, Gartner has said.
Chairman Bill Gates last year ordered employees to make security their top focus in product development after bugs like Code Red and Nimda cost customers millions of dollars in 2001.
Shares of Redmond, Washington-based Microsoft fell 68 cents to $49.17 as of 4 p.m. New York time in Nasdaq Stock Market trading, the lowest closing price since Oct. 11.
Microsoft also is working to improve patches and tools for helping customers apply the fixes, Miller said. Many customers don't download patches because there are too many and most require restarting computers. Still, customers must be more careful to download important updates, he said.
"In both this case and the cases of Nimda and Code Red, it wasn't like there was a 24-hour period where people had to deploy the patch before something hit," Miller said. "These have been out for months."
Companies in South Korea had widespread slowdowns and the worm was still active Monday because they were slower than companies in the U.S. to install patches, said Steve Chang, chief executive of computer-security software maker Trend Micro Inc.
"U.S. companies are extremely sensitive, so the service providers are providing better security," Chang said. Korean companies may have focused on satisfying demand for service at the expense of protecting their systems, he said.
Security experts said it is unlikely investigators will identify the source of the worm.
"They're probably not going to know who did it unless somebody starts bragging about it, which is possible," said Marc Maiffret, co-founder of eEye Digital Security.
The culprit used a format that makes "spoofing" easy, which means the attack could have been designed to appear as if it came anywhere the creator wanted, he said.
Tuesday, January 28, 2003
Internet worm infects state's big businesses
By PAUL NYHAN
SEATTLE POST-INTELLIGENCER REPORTERThe latest Internet worm struck Washington state's leading businesses, disrupting thousands of Washington Mutual Inc. automated teller machines, infecting The Boeing Co. and even invading Microsoft Corp.'s own operations.
Around Seattle, the worm created some of the greatest problems and consumer headaches yesterday at Washington Mutual, where customers were unable to pay certain bills online, transfer funds over the telephone or even withdraw cash from bank machines.
Even Microsoft, which created the infiltrated software and a subsequent patch to thwart the virus, found itself under attack, as the so-called Slammer worm burrowed into some of its servers.
Consumers likely felt the greatest pinch at financial institutions. Nationwide, up to 2,000 Washington Mutual ATMs were affected at any one time, bank spokeswoman Libby Hutchinson said yesterday.
On Queen Anne Hill, one ATM screen stated: "Sorry, I'm out of commission right now."
The savings and loan said it hoped to have its services fully operational this morning, adding that it concluded the worm didn't violate private customer data. Yesterday, customers were able to visit branches to get cash and perform other banking transactions, Hutchinson said.
"The worm virus was found, isolated and removed," the Seattle-based institution said in a statement yesterday evening, adding the company was "working to have the network to full capacity as quickly as possible."
Washington Mutual was far from alone, as the attack crippled some sensitive corporate and government systems far more seriously than many experts believed possible. Pillars of the financial community, such as American Express Co. and Bank of America Corp., also faced problems.
Not all banks suffered, however. KeyBank and Wells Fargo & Co. were among the financial institutions that reported no problems
In Bellevue, up-to-date computer software usually makes emergency dispatchers quick on response and on reporting incidents on the Eastside, but, as a result of infection by the virus, the communications center personnel had to log information by hand, according to Marcia Harnden, Bellevue police spokeswoman.
The virus attacked the emergency communications system in Bellevue Friday night and continued to slow computer operations until Saturday afternoon. Dispatchers who take emergency calls for Bellevue police and Eastside fire departments are trained to operate without computers in case of a major catastrophe or power outage.
A few miles away on the Microsoft campus in Redmond, some administrators had not applied the company's own security patch, while other servers designed to test security patches were exposed.
"If you have SQL servers that are non-essential, please shut down the MSSQLSERVER service as well as SQL Agent . . . so that we can eliminate nonessential noise/traffic on the network," an internal Microsoft e-mail said Saturday. "Your urgent assistance is required."
Despite the urgency of the message, most Microsoft employees didn't notice the disruption, according to Rick Miller, a Microsoft spokesman.
"We're pretty much up to full speed at this point," Miller said yesterday evening. Though the company had not finished installing the patches, "the effect is significantly minimized," he said.
Across the nation, consumers ran into more obvious problems Saturday and Sunday.
American Express Co. confirmed that customers couldn't reach its Web site to check credit statements and account balances during parts of the weekend.
The attack prevented many customers of Bank of America, one of the largest U.S. banks, and some large Canadian banks from withdrawing money from ATMs Saturday.
Bank of America was largely back to normal by Saturday evening, according to Rich Brown, a bank spokesman in Portland, Ore.
At Countrywide Financial Corp., customers struggled when they tried to use its online site and certain phone services. The mortgage bank expected to completely restore customer access by last night, according to Countrywide spokesman Rick Simon.
Countrywide Financial Corp., Washington Mutual and others were hit by a virus-like attack, alternately dubbed "Slammer" or "Sapphire," that sought vulnerable computers to infect by using a known flaw in popular database software from Microsoft called SQL Server 2000. Microsoft said it has sold 1 million copies of the software.
The global congestion from the Internet attack eased over the weekend and was largely cleared by Monday.
Before the attack passed, the state's largest private employer, Boeing, ran into problems. Saturday morning, Boeing scrambled its computing virus team after detecting the Slammer virus.
The company had major programs running by Saturday afternoon and "the virus didn't really affect much of the company," Boeing spokesman Bob Jorgensen said yesterday.
Critical airplane delivery schedules were not interrupted, Jorgensen added.
Boeing actually began testing a fix for an attack last fall, when Microsoft upgraded a bulletin on the problem from non-critical to critical, according to Jorgensen.
"We then go though a testing to make sure it is going to work effectively with our application," Jorgensen said.