Slammer Worm Slams Microsofts Own 528
MondoMor writes "Microsoft's forgot to patch some of its own servers to protect it from the months-old vulnerability exploited by the Slammer Worm, reports C|Net. Oops. Apparently Redmond's network was hit pretty hard. Just goes to show that no matter who you are, you'd better keep your apps patched." Update: 01/29 01:59 GMT by T : And if you're running systems which might be affected, take note: whitehorse writes "The Microsoft KB article for the Slammer patch found here has an incorrect URL for 'Download the patch' referring to KB Q316333 which is only a handle leak fix. The real patch may be found later in the article."
Zoiks! (Score:5, Insightful)
Big Surprise? (Score:4, Insightful)
I'm glad to say that my servers were unaffected. Slapper does not affect AS/400 nor Linux.
Speaks volumes for their policies... (Score:5, Insightful)
Say what? (Score:2, Insightful)
Microsoft on the ball? (Score:5, Insightful)
I fully expect to see more entertaining stories like this for a long time to come.
Not nessecarly bad administrators (Score:5, Insightful)
Tired of patching? (Score:5, Insightful)
Oh joy, the pleasures of having an automated "Patch-me-now" daemon.
Lazy admin, none the less.
Re:Big Surprise? (Score:2, Insightful)
The Future of Security (Score:5, Insightful)
First and foremost is secure code. Right now, almost everyone and their grandmother has a firewall. They do a good job of protecting ports a user can't shutdown totally (some NetBIOS ports) and protecting insecure applications a user or organization wants to run internally but doesn't want the world to access (NFS, NIS, etc). The majority of these exploits target applications that firewalls will usually let past such as HTTP, FTP and e-mail.
Frankly I'm not sure how coders should go about writing secure applications, but it needs to be done. Perhaps at large organizations there should be a dedicated person or term in charge of verifying code is clear of buffer overflows and other nasties. Either way, the code itself needs to be secure or because a firewall won't do a thing. Without it even the most secure configurations will continue to be cracked.
Second is firewall configuration. Many firewall administrators tend to forget about outbund packets. Obviously there are some they need to let out (HTTP, FTP) but when it comes to things like SQL and outbound portmap, there's really no reason. Depending on the organizations needs they can more than likely block all outgoing UDP. By doing this they can help slow the spread of worms (such as this one) and reduce liability when it comes to crackers using their systems as a point to attack other systems.
Firewalls that block incoming packets just don't cut it, and never have. We need to have secure code and need to block unnecessary outbound packets as well.
hmmm...security + patch administration (Score:5, Insightful)
Yep.
I love the way the article makes security + patching seem such a burden on system administrators. It's one of the main functions of a sysadmin's job. Any sysadmin who thinks security patches are optional, regardless of how shitty your OS's package management + patch integration is, deserves to have their network taken down and their ass fired.
Though I do get a kick out of thinking of the nightmare the Windows admins have keeping up to date with patches, whereas a few hundred lines of perl, and I have my own automated patching system, and RPM keeps track of it ( no rpm vs. deb flames, thank you ).
Re:Say what? (Score:5, Insightful)
They probably don't. What's more likely is that one or more employees took their laptops home and hooked them up to their own Internet connection without any personal firewalling active. If those laptops happened to be running SQL Server, they become carriers. All it takes then is for them to be plugged back into Microsoft's LAN, and game over.
Despite what the apologists say (Score:2, Insightful)
Of course, it's the customers fault.
When the original story came out I couldn't count the number of posts pointing out that the patch was released a while ago for this problem while totally discounting the fact that most of the world fell prey to it.
Redhat, for instance, boldly displays all the security problems AND patches on a single page for its products.
Want to find a list of needed patches for a Microsoft product? Hope you have a few days for searching the endless volumes of technet or msdn-- hope you find everything.
Want to know the patch level for your Microsoft software? Have fun, it's randomly displayed somewhere in the product... maybe in the about box... maybe just a file version
What a bunch of horse shit... (Score:5, Insightful)
Now here's my gripe... Microsoft's being vulnerable to this is only an indication of some lazy sysadmins. It doesn't involve anyone else.
These are typical 14 year old essay arguments, where you can prove the world by altering seemingly unessential facts: while Linux is seen as the OSS giant, and there are thousands of 'independant' people working on it, Microsoft is actually just one person... Bill. Bill has actually cloned himself 40.000 bodies, and attached a wireless receptor in each of their brains, and is brandishing every single one of those people...
Microsoft, just like any other company, is thousands of individual people... this security vulnerability does not undermine the effectiveness of patches.
It's like having a Canada be declared an enemy of the United States because a drunken canadian had a fist fight with some alaskan in some fucking bar. WTF??!?
Come on people, be vigilant.
Re:Microsoft didn't patch all their INTERNAL serve (Score:3, Insightful)
Just goes to show that people who are paid to be technically apt can be just as much of a crutch and regular users.
Re:Big Surprise? (Score:5, Insightful)
This problem is actually a very interesting one that I've been looking at for years. It happens in everything from 300-person companies to giant mega-corps. It's not because people are stupid, but because large systems only can only avoid tripping on themselves by imposing arbitrary controls.
I think that the right solution is staged anarchy, which is sort of what many large companies (e.g. Microsoft, AT&T, IBM, etc) do with their research divisions or via acquisitions or both. The idea is that you let smart people go nuts and create the unsupportable. You then get more, but different smart people to turn THAT into the supportable. You then get more average corportate drones to convert the supportable into the existing production framework. You then present the existing production framework to the first group of smart people and let them start over again.
You get about a 6-month cycle if you do it right, and you keep reaping the benefits of wild-eyed hacking as well as stability.
Microsoft takes a lot of flack for their technology, but they do this one thing well. You may not like such things as NT, C#, etc, but they are fairly large and complex beasts that most companies would not be capable of cranking out on their own (hence the benefits of open source development so that they don't have to). MS was able to draw on (and some would say corrupt) the smart work of their research folks and of technologies that they acquired and "MS all over it" until it fit their sales and support model, which is one of the reasons that they could do something like go from "Internet-illiterate" to winning the browser war, practically overnight.
IBM does this quite a lot as well (all of their hard drive advances come from this sort of process).
Interesting stuff.
4 Things (Score:5, Insightful)
What we can learn about this: (Score:2, Insightful)
No, it shows rather that no matter who you are, you should not use Microsoft's server and database solutions.
Patches break things too… (Score:5, Insightful)
Patches that fix something specific are fine. Patches that add new features or change API behavior can really make a mess. I've seen plenty of kit that requires xx service pack and the latest yy version breaks it.
As a side note, make sure you get the patch if you are running the MSDE on any of your boxes.... Same problem as SQL server - way to many vendors will fold that one into a dev version of a product. I know I almost found out the hard way...
Re:Microsoft didn't patch all their INTERNAL serve (Score:5, Insightful)
I've worked in some of the Microsoft data centers and done design work... I know how hard they (just like many of my other non-microsoft customer) try to keep people "out" of these networks. But I've seen development projects go on the "soft" network and then get forgotten about. Its machines like these that probably provided the bridge back into MS.
It happens. Regardless of the company. Just some get more publicity than others. You think BofA didn't have firewalls? And yet they went offline for what... half a day or more?
Re:Microsoft on the ball? (Score:4, Insightful)
Re:Zoiks! (Score:5, Insightful)
Relying on a vendors automatic update feature is no substitute for solid system administration.
Solid system administration is no substitute for solid systems.
Re:Despite what the apologists say (Score:5, Insightful)
Another clueless jackass spouting off about things he has no idea about...
Re:Zoiks! (Score:4, Insightful)
Re:SQL Server (Score:4, Insightful)
It doesn't work, at least not for Microsoft's products. You and grandparent post forgot the Microsoft Support Life Cycle [microsoft.com], say Windows 98 and NT 4.x will be entering "Non-supported phase" after June this year, Windows 2K even earlier, March.
Granted, SQL server 7.0 is still under the coverage of normal support til March, 2004, and if you happened to be a premium customer, they the period can be extended to 2006.
However, do not forget when a product is desupported, Microsoft will not take care of new problem found in it. No service patch, no enquiry. No MS reseller would dare take up the maintenance. They'd only offer you one option thereafter: upgrade.
Keep using the desupported products? Sure you can, but can you bet your career on a desupported product? You're welcome to do so as they can have a convenient target to blame when shit happens.
Re:Big Surprise? (Score:3, Insightful)
Re:Speaks volumes for their policies... (Score:2, Insightful)
The article says "patches don't work" but fails to give any alternative. Saying "software needs to be perfect" is about as useful as telling us that patches don't work.
I don't se OSS as a solution to this either because unless you install the bugfixes you are still screwed.
not a bigot. (Score:3, Insightful)
Matter of cost . . . (Score:4, Insightful)
It seems to me if one were to include the costs of patching, insuring everything gets patched, and the expected losses (I assume probality is inherently high in then non-Unix world) from the inevitable missed patch (or, nonexistent patch/late patch), MS TCO would go through the roof. Then again, maybe the entire concept of TCO doesn't matter when the most significant costs can be hidden from ignorant managers who act as the software purchasing agents of the company.
The problem is including new features with patches (Score:5, Insightful)
For years I was forced to run an IIS server which was outdated, unpatched, and very vulnerable. I couldn't update it because the service packs would break the software running on it - and the reason was that the service packs, while they fixed the vulnerabilities, also introduced all sorts of new features I did not need or want. So I was reduced to keeping a very watchful eye on it.
The entire infrastructure of Microsoft software distribution method is simply broken, and stupid.
How about a solution? (Score:3, Insightful)
Re:hahaha - there's justice for you (Score:3, Insightful)
You don't suppose this will convince them to finally switch to OSS, do you? I haven't seen my MySQL boxes taking down the Internet lately!
(Ok, ok, that was low.. ;) )
Re:Big Surprise? (Score:3, Insightful)
You and MS are a collective bunch of horse shit (Score:5, Insightful)
Let's make this quick:
MS is a collective. All of the things that individuals do within MS are actions taken by MS. You said it yourself: Microsoft, just like any other company, is thousands of individual people.
MS cannot implement its own patching system coherently. The effectiveness of the MS patch protocol is ZERO as practiced by MS, and I mean ZERO.
This is MS's problem precisely because members of their collective have proven that their system of patches has zero real-world effectiveness.
If you want to apologize for MS, go ahead. Just don't say that they still might be right (about the effectiveness of patching) when they've proven themselves that patching doesn't work, even if because no one bothers to patch.
Re:Big Surprise? (Score:3, Insightful)
No, it puts a damper on their ability to exploit the freely-offered code and sell it back to people.
You can innovate on GPL'ed code, you just can't keep your innovations to yourself.
Jay (=
Re:hmmm...security + patch administration (Score:3, Insightful)
Still, I'd be concerned about automating any patches. Heck, just a few weeks ago, Mozilla came out with a "patch" that broke a good bit of DHTML rendering. Not serious, really, but the same could happen to important software. For example, I know of a particular version of a particular OLE DB provider for Oracle that has a couple of parameters backwards for one of their main functions (I think this was an Oracle version of the driver). If somebody auto-patched a server, and it fixed this problem, it would've broken my app completely, and would've needed a bit of a re-write and re-compile. Not good on a live system.
Re:hahaha - there's justice for you (Score:1, Insightful)
Gadzooks! (Score:5, Insightful)
I agree, however...
Microsoft has argued for a long time that Windows is easier to administer (than UNIX/Linux), and that you don't need to hire an expensive, trained admin (which I assume they are referring to UNIX admins, but aren't MCSE expensive, trained admins, all jokes about the quality of MCSEs aside?).
So here we are with MS SQL Server, which is supposed to be an enterprise quality database system... but it has no intuitive interface for installing patches. So either we have a real DBA, who should know how to do these patches, or we have a power user to manage the database through a better interface to keep up to date on patches.
Either it's easy and you don't need an admin, or it's difficult and you do need a trained admin. SQL Server updates can't be as "complex" as they currently are if Microsoft is going to claim that anyone can admin a Microsoft server product.
Granted, they may not be making the claim that SQL Server is easy to administer, but what are the customers going to think? If Windows is "easy" (or so says the advertising), then SQL Server must be easy too! They both have little wizards to automate tasks, they both have a graphic interface for management...
Re: Big Surprise? (Score:2, Insightful)
> > Explains why they dislike the GPL. It puts a damper on their research and innovation.
> No, it puts a damper on their ability to exploit the freely-offered code and sell it back to people.
I think you missed the sarcasm.
> You can innovate on GPL'ed code, you just can't keep your innovations to yourself.
In lots of contexts, yes you can.
Re:Which would you rather have? (Score:5, Insightful)
That argument is an example of a logical fallacy called "bifurcation" - presenting two alternatives as if they were the only two alternatives, when in fact more may exist.
Somehow I keep my Debian system updated with the latest security patches without much effort, and without being forced to accept patches I don't want.
What's incredible... (Score:4, Insightful)
Why People Don't Update Microsoft Products... (Score:3, Insightful)
1) Went to a news site (MSNBC? I forget...) - decided to try running a video - told me it needed the Microsoft plugin, sent me to Microsoft site to download Media Player 9.
2) Said okay, what the hell, I'll get it, EULA or no, downloaded, installed.
3) Broke my wallpaper changer - began giving me divide by zero errors when I changed wallpaper. Why? Who knows?
4) PowerPro began to crash on reboot for the wallpaper thingy... Why? Who knows?
5) Uninstalled Media Player 9.
10)Uninstalled WallMaster, reinstalled WallMaster.
11)WallMaster and PowerPro problem go away.
12)Irony - Even after I installed Media Player 9, the fuckin' news site STILL SAID I NEEDED THE PLUGIN!
Fucking morons...
Within the next six months, I intend to go Linux only and wipe fraggin' Microcrap off the disk...
rofl ..."we make too much stuff to keep tab on it" (Score:3, Insightful)
"They make too much stuff to bother standardizing versionning info"
Linux: rpm -qa
Microsoft: "sorry we can't do that it's too hard"
rofl
And you didn't even address my original post.
The entire internet went down on Saturday but it seems Microsoft bears no blame in your eyes. If that isn't a pure unadulterated example of the arrogance displayed by Microsoft I don't know what is.
If I wrote shit that barfed all over the internet like that, I'd be begging on my knees for forgiveness from my customers-- not giving them the "you're all morons speech". Actually I'd be outta a job.
I think you're the troll here. You should be proud. It's not too often a troll gets +5.
Single layered security == flawed (Score:4, Insightful)
You have to assume there *are* holes in application software such as SQL server due to its complexity.
Taking a reactive approach, and simply installing hotfixes are they're available will simply not work - patches are often not available until a number of days/weeks/months until after the vulnerability is known. Even if it hasn't been fully disclosed, the blackhats may well know about it, or be prompted to scrutinize that particular product more and find it before the full announcement.
The correct way to deploy such products is to design your network with this in mind, and firewall them off from the rest of the world.
That does NOT give you the security to not worry about patching (single layer security is bad) - keep your servers patched - but it does buy you a little time, and is an extra layer of defense in case there is a server that doesn't patch properly for some reason (file couldn't be overwritten for example), or is accidentally forgotten about.
I can think of *no reason* why an SQL server must be accessible to the world. You have a webserver that uses it as a back-end? Give the public access to port 80/443 of that ONLY, and disallow connections from anywhere but localhost to the SQL software. Even better (and the approach I always take - I don't trust Win-X to be visible to the internet, period), install it on a seperate physical machine, firewall that machine more tightly (ie, allow SQL connections ONLY from machines that require them, such as your webserver).
If you have client machines that need to access the database from the internet, thats what VPNs are for.
Since I've had enough sense to firewall my servers correctly (yes, I was a clueless idiot before as well ;), I have not had a single security breach.
I'm not saying that I'm definately immune to a concentrated attack, but you can definately stack the odds in your favour.
Yes, it is an investment in time, and probably money - but if you want a secure network, its simply the price you have to pay these days... how much is your data/uptime worth?
smash.