January 31, 2003
Do as I Say, Not as I Do Department

Do as I say, not as I do. Microsoft has been attributing the destructiveness of the recent SQL worm attack to lazy SysAdmins--people who don't bother to install the bug-fixing packages that Microsoft has issued. But, as Bruce Schneier points out, the way companies and computer systems--including Microsoft--work as societies of humans makes Microsoft's demands extremely unrealistic.

Worm Hits Microsoft, Which Ignored Own Advice: by John Schwarz

The frantic message came from the corporation's information technology workers: "HELP NEEDED: If you have servers that are nonessential, please shut down."

The computer system was under attack by a rogue program called SQL Slammer, which affected servers running Microsoft software that had not been updated with a patch ? issued months ago ? to fix the vulnerability. The worm hindered the operations of hundreds of thousands of computers, slowed Internet traffic and even disrupted thousands of A.T.M. terminals.

But this wasn't happening at just any company. It was occurring at Microsoft itself. Some internal servers were affected, and service to users of the Microsoft Network was significantly slowed.

The disruption was particularly embarrassing for Microsoft, which has been preaching the gospel of secure computing. On Jan. 23, the company's chairman, Bill Gates, sent a memo to customers describing progress in improving its products since he announced a "trustworthy computing" initiative a year ago.

"While we've accomplished a lot in the past year, there is still more to do," he wrote. He cited the hundreds of millions spent to shore up Microsoft's products, and its plans to deliver more secure products in the future. He also listed "things customers can do to help." The first item was "stay up to date on patches."

The paradox was not lost on computer security experts. "Microsoft has been blaming the users, saying they have to keep their patches up to date," said Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc., a company that manages security for customers. "On the other hand, their own actions demonstrate how unrealistic that position is."

Posted by DeLong at January 31, 2003 03:34 PM | Trackback
Email this entry
Email a link to this entry to:


Your email address:


Message (optional):


Comments

They've got this problem fixed, more or less, for Windows XP; auto-update covers things fairly well.

The problem is that, by nature of what they're used for, no sysadmin is going to let MS autoupdate his servers. I'm not sure how to square that circle, either.

Posted by: Jason McCullough on January 31, 2003 04:05 PM

This virus is propagated on inadequately secured commercial servers, not home computers. We know this if only because the costs of an (SQL license from Microsoft ($4,999)) put the software out of the reach of ordinary users.

I personally use Apache on Slackware to fuel my home server and have never run into any of these problems, although my server logs now show an average of about three scripted attacks daily against my home server. Given that Apache rus on roughly 66 percent of the active web servers in the world, I consider it quite revealing that almost all of these exploits appear targeted at boxes running some variant of Windows.

Posted by: david l on January 31, 2003 11:00 PM

People don't install MS bug patches immediately because so often the fix creates new problems. In For example, in October Microsoft released a fix for a different SQL Server problem that if installed in the expected manner would have made patched systems vulnerable again.

MS itself got hit because their own people know the truth--patching is risky. Often they don't install correctly or run reliably. That's why MS's own sysadmins are in no rush to install them.

The patch has been described as "snarly, intractable and buggy". That going to encourage it's installation, right?

Posted by: clifford payne on February 1, 2003 06:27 AM

As I understand it, for reasons Clifford Payne has outlined many installations as a matter of practice wait for Microsoft "ServicePacks" which bundle several patches to install so that they will work with each other.

Posted by: Russ Hicks on February 3, 2003 12:02 AM
Post a comment
Name:


Email Address:


URL:


Comments:


Remember info?