![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Secure Systems
Feb. 1st, 2003 12:15 pmAs I'm sure most people have noticed or heard, the Internet was hit hard last week by a worm known as the 'SQL Slammer', due to its target, Microsoft SQL Server 2000. Most home users felt little effect, other than perhaps a certain sluggishness on the 'net, but corporate users were blasted by it -- primarily because only corporate users actually run the software in question.
The worm shut down corporate networks, because an infected server immediately devotes all its time to sending copies of the worm to an IP address, randomly chosen by GetTickCount (i.e. an IP address is a 32-bit number, and the number of milliseconds the computer is turned on is also stored as a 32-bit number, so the worm just slammed a timer into the network stack to choose a target -- a crude but effective way of generating random targets.) Computers that run Microsoft SQL Server 2000 tend to be enterprise database servers right in the heart of corporate datacenters -- really powerful machines, with really wide connections to the network, making them the perfect worm-spreaders. The scary thing is that for all the damage this worm did, it was fundamentally benign -- all it did was spread itself around, it did not actually try to do any damage. Imagine what could have happened if the worm carried a "payload" -- if it, say, deleted or subtly corrupted all the data in infected servers.
Microsoft, understandably, has gotten a lot of flak for the security vulnerability that made this worm possible (the worm spreads by sending a specific malformed 370-byte packet to a web service port on SQL Server. Due to a bug in the server, a buffer overrun presumably, the specially-formed packet is actually executed rather than just used as data, thus causing the new server to begin spreading the worm as well). However, Microsoft's response is that they fixed the vulnerability in question six months ago and released the fix as a "critical" security patch that all administrators should install. What's more, the vulnerability is also fixed in SQL Server 2000 Service Pack 3, which has been out for more than a month. Thus, the only people affected by this are people running an obsolete version of a Microsoft product and who failed to install critical security patches that any competent administrator would know about. Unfortunately, that group included most SQL Server installations. Basically, Microsoft asks, "What more can we do?"
Some news stories of interest here (which will be referenced in the rest of this post):
Tom's Hardware says rumors indicate even Microsoft was hit
David Litchfield reconsiders if he should have even published the vulnerability when he discovered it
Analysts say Microsoft Trustworthy Computing has failed, with quotes from Bruce Schneier
( And the rest of this post is really damn long... )
The worm shut down corporate networks, because an infected server immediately devotes all its time to sending copies of the worm to an IP address, randomly chosen by GetTickCount (i.e. an IP address is a 32-bit number, and the number of milliseconds the computer is turned on is also stored as a 32-bit number, so the worm just slammed a timer into the network stack to choose a target -- a crude but effective way of generating random targets.) Computers that run Microsoft SQL Server 2000 tend to be enterprise database servers right in the heart of corporate datacenters -- really powerful machines, with really wide connections to the network, making them the perfect worm-spreaders. The scary thing is that for all the damage this worm did, it was fundamentally benign -- all it did was spread itself around, it did not actually try to do any damage. Imagine what could have happened if the worm carried a "payload" -- if it, say, deleted or subtly corrupted all the data in infected servers.
Microsoft, understandably, has gotten a lot of flak for the security vulnerability that made this worm possible (the worm spreads by sending a specific malformed 370-byte packet to a web service port on SQL Server. Due to a bug in the server, a buffer overrun presumably, the specially-formed packet is actually executed rather than just used as data, thus causing the new server to begin spreading the worm as well). However, Microsoft's response is that they fixed the vulnerability in question six months ago and released the fix as a "critical" security patch that all administrators should install. What's more, the vulnerability is also fixed in SQL Server 2000 Service Pack 3, which has been out for more than a month. Thus, the only people affected by this are people running an obsolete version of a Microsoft product and who failed to install critical security patches that any competent administrator would know about. Unfortunately, that group included most SQL Server installations. Basically, Microsoft asks, "What more can we do?"
Some news stories of interest here (which will be referenced in the rest of this post):
Tom's Hardware says rumors indicate even Microsoft was hit
David Litchfield reconsiders if he should have even published the vulnerability when he discovered it
Analysts say Microsoft Trustworthy Computing has failed, with quotes from Bruce Schneier
( And the rest of this post is really damn long... )
