Slammer Worm Slams Microsofts Own 528
MondoMor writes "Microsoft's forgot to patch some of its own servers to protect it from the months-old vulnerability exploited by the Slammer Worm, reports C|Net. Oops. Apparently Redmond's network was hit pretty hard. Just goes to show that no matter who you are, you'd better keep your apps patched." Update: 01/29 01:59 GMT by T : And if you're running systems which might be affected, take note: whitehorse writes "The Microsoft KB article for the Slammer patch found here has an incorrect URL for 'Download the patch' referring to KB Q316333 which is only a handle leak fix. The real patch may be found later in the article."
Microsoft didn't patch all their INTERNAL servers (Score:5, Informative)
Let's not jump too quickly on the bash microsoft bandwagon for that. (Of course, if they just did enough testing and didn't release buggy, vulnerable software in the first place...)
Re:Zoiks! (Score:5, Informative)
Re:SQL Server (Score:2, Informative)
Re:I wonder how long... (Score:5, Informative)
Re:Zoiks! (Score:5, Informative)
There isn't only no way to get SQL Server patches from Windows Update, but (as the parent mentioned), the steps required to update SQL Server and the Desktop Engine (MSDE) is a royal bitch and some.
For example, to apply any hotfixes or cumulative patches for SQL Server 2000, you must download the package, extract it, backup the SQL Server install directory and databases, manually copy over DLL files and other updated binaries, execute the SQL query files included in the patch (one at a time, in a certain order... MSDE users need to use the command line interface for it since there is no GUI provided), then pray that everything is okay and start SQL back up.
Worm's damage surprises experts -- takes out ATMs (Score:5, Informative)
~~~
The worm that slowed the internet to a crawl over the weekend apparently did more damage than most originally believed. On Monday, many companies were still struggling to clean up. Financial companies and airlines seemed to be hit most acutely. Many web sites that manage payments and check loans were inaccessible. Inexplicably--and really inexcusably--some ATMS were also unavailable. Investigators are also struggling to pinpoint the worms starting point, but are having little success because it took off so fast.
Apparently similar code was released by David Litchfield of NGS Software Inc a few months ago. Virus "author," "Lion" credited Litchfield's code.
The Washington Post has an AP [washingtonpost.com] story up as well as this [washingtonpost.com], which is older but has some additional details. The kicker to all this--the worm hit one year after Microsoft launched its "Trustworthy Computing." That and even some of Microsoft's own computers were hit [nytimes.com] (NYT Reg. Req.).
(Yep, still bitter
Re:Despite what the apologists say (Score:3, Informative)
I usually just go here rather than searching endless volumes....
http://www.microsoft.com/technet/treeview/default
Re:Speaks volumes for their policies... (Score:3, Informative)
Yep. The same can be said for clicking on virus laden emails. Back when the "I love you" email virus was making the rounds, some MSCE type sent out an email scolding people for clicking on bad emails at the comapny where my wife worked. The next day, her inbox had 50 some emails from him where he'd clicked on a bad email.
Later the same week, our IT dept deployed the last anti-virus patch. I set it off looking at comments on Slashdot where somebody had posted the Word Basic macro that was doing all the dirty work. The dern virus scanner was keying off the macro source. That caused a bru-ha-ha.
Re:I think you're running the update seriously wro (Score:2, Informative)
Re:Big Surprise? (Score:3, Informative)
From about Internet Explorer: "Based on NCSA Mosaic. NCSA Mosaic(TM); was developed at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign." Microsofts "smart work" was assimilating open-sourced non-GPL code to become internet literate. Explains why they dislike the GPL. It puts a damper on their research and innovation.
Re:Say what? (Score:4, Informative)
Of course - it only takes one infected client
Zero defects impossible; fix the fences instead (Score:5, Informative)
Zero defects is not an attainable goal; it's too expensive and no one wants to pay for it.
This article shows just what happens when you expect zero defects in the infrastructure of a large organization like Microsoft Corporation. It's not going to happen. And before someone says I'm Microsoft-bashing, I will say that this is true for the vast majority of corporations, universities, foundations, and governments. That would include Sun, IBM, Red Hat, even the *BSD folks and LKML participants.
There is a damn good reason we won't see zero defects: employees are not measured by it. Their survival, pay raises, and promotions are based not on the number of defects they don't have, but on their contribution to the "bottom line." If you preach zero defects as Job One, then prove it by firing the people who generate defects, without exception -- including the CEO, COO, CFO, CIO, and other top brass, when they screw up.
So now that the myth of zero defects has been exposed for what it is, what do we do about it?
System administrators are going to have to re-think their perimeter access controls. This may require router upgrades to add processing power to support additional filtering.
Sysadmins who have been running "mostly-open" filter configurations may want to consider moving to a "mostly-closed" configuration: deny everything except services that have been cleared for use. Don't allow arbitrary connections. Many unknowing MS SQL servers were protected from participating in this little exercise because the firewall upstream of the desktop system wasn't allowing connections to get through, even if the desktop system had a globally-routed Internet address.
Computer mail order houses and computer stores should consider carefully whether they should bundle appropriate software firewall products with the computers they sell. Software configured to require the user to say "Yes, I want to make SQL server available for public access!" before 1433 and 1434 would be open.
We need to ask the reporters and editors of mainstream publications to be more responsible when reporting problems like Sapphire/SQL. The facts were pretty well known, and available to those who tried hard enough to get them even at the height of the packet storm, so that reporters could make their deadlines and get the facts straight. [Names of the guilty withheld, at least for now -- they know who they are.]
Tier 1 and Tier 2 bandwidth providers need to consider modifications to their Acceptable Use Policies to require some basic filtering of packets in both directions. These AUP changes have been discussed before; perhaps now is the time for them to go into effect:
Update the Best Practices RFCs to incorporate some or all of these suggestions, so that Internet operators around the world can participate in solving the problem.
(N.B.: I want to point out that many USA-based cable operators are contributing to the problem by disallowing the use of NAT and VPN technologies in their apparent [alledged] quest to limit the broadband "Internet service product" to browsing and downloading files. I believe that such an attitude contributed to the problem, not the solution. I understand well the technical and business motivations for this, but I also believe that there are (U.S.) national security implications against such a policy. THINK!)
Are any of these ideas new? NO. The only new idea is to have the Lords Of The Internet use their influence over their customers to implement them more widely.
Good fences make good neighbors. The Internet is a neighborhood.
Re:Say what? (Score:3, Informative)
Re:I think you're running the update seriously wro (Score:1, Informative)
Useful script for keeping up-to-date with RPMS. (Score:4, Informative)
wget -nd -nH --mirror --no-parent --passive ftp://ftp.mirror.ac.uk./sites/ftp.redhat.com/pub/
wget -nd -nH --mirror --no-parent --passive ftp://ftp.mirror.ac.uk./sites/ftp.redhat.com/pub/
saved=`grep saved log | grep -v ".listing"`
check=`rpm -K
if [ "$saved" ]
then
mail user1@domain.com user2@domain.com <<EOMAIL
New RedHat 8.0 RPMs downloaded onto `hostname`
Please update them:
$saved
$check
If there are any kernel updates, please run lilo before rebooting
EOMAIL
fi
Run this in the night some time.
When you come in, if you've got an email, run:
cd
rpm --freshen -vah *.i686.rpm
rpm --freshen -vah *.i386.rpm
Hey presto. Job done. And if you use Grub, you don't have to bother about running lilo.
Re:The MS security update is confusing (Score:2, Informative)
Patch + Honeywell = SOL (Score:2, Informative)
Actually No (Score:4, Informative)
While troubleshooting an issue related to the patch w/ MS phone support, the technician told me that 7.0 is not affected and the bulletin was incorrect.
It is entirely possible he was misinformed though.
Comment removed (Score:4, Informative)
Re:hmmm...security + patch administration (Score:3, Informative)
As to why I don't use up2date, it's because it chews up to much bandwidth ( ea. workstation hits redhat patch server ). I looked at using Ximian's stuff, but management shot it down.
And if administering w2k boxes is so damn easy, how come very few admins do it right? Proportionally quite a good deal less than their Unix counterparts? I can't verify the comments you made about w2k package management, as I quit doing windows around NT4.0/98 days, but I'll take your word on it. BTW, can this be remotely automated? But, still, how come everyone whines about how hard it is? And how come a frequent complaint ( and one I've seen w/ my site's sExchange mail servers ) is that one patch/update breaks other services/functionality?
Re:Say what? (Score:3, Informative)
Go home, plug into cable/DSL. Get infected. VPN in to Microsoft. Ooops.
That's the SP, not the patch! (Score:5, Informative)
Alot of sysadmins were waiting for the SP to be released before even approaching this one, just because the patching process is so complex. They just waited a week too long
Re:To clarify some Myths about Slammer (Score:3, Informative)
I don't understand where the difficulty comes in. You run the service pack, it extracts to your root drive (or whereever you want it to, actually.) You then run setup.bat -- That's it! You're patched!
Some have said they applied the patch and still were vunerable./Some have said the patch fucked their server.
It worked for me, and I can't speak of the ones it didn't work on. SP3 came out a few weeks ago, and admins should have at least had that installed.
Also, I think I read that the cumulitive SQL server patch that was supposed to be out a long time ago finally came out as soon as this worm hit.
Bullshit. The patch to fix the overflow problem came out half a year ago. And the service pack (which includes the patch) came out a few weeks ago.
Don't believe everything you hear..
Re:Grounds for legal action? (Score:2, Informative)
Personally, I don't run M$ servers. When I did, it was a bitch. Patches that "fixed" one thing broke two other things, and that which was working properly stopped.
One specific example is in the NT service pack series: between SP3 and SP4 (I believe) the format/structure of the NT filesystem changed. If you formatted a partition in post SP3 (SP4 or greater), you could NOT access the partition when you had to rebuild the system (6-12 mo later) UNTIL you made it back up to SP4+.
Why do I want to apply a patch which will probably break my system? To close a security hole, yes. While I'm a bit of a security 'nazi', I wonder sometimes if the patch is worse than the risk of a security breach.
Re:Never patch a running system ;-) (Score:3, Informative)
However, we should be very careful about bragging about it, because as it turns out UNIX admins are not that fast [rtfm.com] either. A study of an OpenSSL vulnerability and the subsequent release of the Slapper worm shows that many admins need some fire before they get moving.
My Experience (Score:4, Informative)
It's not that bad really, I think later versions of the patch even included a batch file to copy stuff around for you. Even without it, it only took 10 minutes... I mean really, if somebody can't handle this kind of stuff should they really be an admin?
Some have said they applied the patch and still were vunerable.
Yeah you have to be careful with this stuff, if you apply patches in the wrong order you can sometimesend up with the vulnerable code still there. I know a _really_ good admin that got hit with Code Red because of that. The correct order can sometimes be a bit of a mystery.
Some have said the patch fucked their server.
That's the big problem with this situation. I can understand why people don't have this patch or SP3 installed. You really never know what one of these things is going to do. It is common for amins to schedule a 3 hour downtime to roll something like this in, even if they have tested the hell out of it. You need time to get the damn thing back out if it screws stuff up. I deployed W2K SP3 onto my terminal servers a few months ago and it broke Office on every one of them. It didn't do that when I tested it, took me hours to clean it up.
Re: Which would you rather have? (Score:2, Informative)
> > Would you rather have a system where you have to manually implement every patch, or would you rather have a system where you didn't have any choices which patches were implemented?
> The first choice would lead to a lot more work.
I find the application-specific security patches we do under Linux to be trivially easy:
Re:Problem is IPv4 (Score:4, Informative)
Re:I wonder how long... (Score:1, Informative)
Re:SQL Server (Score:2, Informative)
Even earlier?
Uh, I'm sure you meant to clarify that while mainstream NT4 Workstation support certainly is up on 30-Jun-2002, Win2k Pro is up on 31-Mar-2005. That's 3 years, 3 months later than NT4. And the extended goes until the same date in 2007. That's over 4 years away. Win2k isn't going anywhere.
Do you think you'll still be using (insert current Linux distro) in seven years? What were you using seven years ago, and is it what you use now?
Companies cannot support a particular product forever, simply because they created it. I, for one, am glad that Microsoft does this. It enables me to phase out old systems, that, while useful in their purpose, are simply not cost effective to keep running anymore. It is a convenient excuse to say, "Sorry, but Microsoft doesn't support it anymore, so we can't. We'll either need to get a new system or you can go without support." Seven years is quite a bit of time, in the relatively fast moving tech sector. I realize that there are a bunch of examples where people need support for a large, unwieldy system that cannot be easily upgraded. But that is simply the nature of the beast. No one ever said doing this was easy.
Of course there are some people that say, "I'm still using Red Hat 2.1, and you'll never make me change!"