If the ‘Net was slow today, it was because of a new worm, called SQLSlammer, that infected vulnerable Windows servers running Microsoft’s SQL database.
The exploit it used was old, but it was made possible because Microsoft’s cumulative hotfixes not being cumulative, and one of the patches not included, if applied afterward, reverted the server back to its vulnerable state. This was not mentioned clearly in the documentation for the hotfixes. Probably Microsoft didn’t know–until it was too late.
But in some cases it’s not Microsoft’s fault. Try getting a pointy-haired boss to give you 15 minutes’ downtime per server so you can roll necessary security patches across your enterprise. Since many people who ultimately make IT decisions never actually administered a Windows server in their careers, a lot of bad decisions get made and servers stay unpatched, as a matter of policy, either out of fear that a patch that closes a security hole might create a new bug, or that some remote VPN user in Kenya might be trying to work during that proposed scheduled time.
Linux got a bad rap in the security press last year because it allegedly had more security vulnerabilities than Windows did last year–never mind that a vulnerability in, say, BIND would get counted several times because it’s included in every Linux distribution, so whereas a vulnerability in IIS would get counted once against Windows’ total, a vulnerability in BIND might get counted 8 times.
We’ll ignore that. Fine. Linux has a larger number of security problems and vulnerabilities than Windows does. Fact. Undeniable. Fine. Answer this question then: Has any worm affecting Linux ever had the devastating effect that SQLSlammer had? That Nimda had? The most notorious worm that affected Linux was called Slapper. Do you remember it? More than 60% of the servers on the ‘Net run on Apache. A worm affecting Apache should have been huge. It wasn’t.
Statistics are, well, statistics. Just because I can find you a set of numbers that suggests the sky is pink doesn’t make it any less blue.
Why anyone, anywhere, has a Windows server on the ‘Net with anything more than port 80 exposed is beyond me.
Trustworthy Computing? Nice buzzwords. Billy Gates has yet to put any meaning into them.
And incompetence rises. Managers didn’t learn from Nimda, so they won’t learn from this either.
Great combination. What does it mean? History will repeat itself. Something like this will happen again. Probably sooner rather than later.
To be fair, back around 1988 (give or take) was the big rtm worm that rode roughshod through the internet and the mostly open UNIX boxes of the day. It did shut down the Internet for several days.
But even at that, it doesn’t really compare to Nimda, Code Red, Klez, etc. that seem to pop up quarterly.
Everyone seems to have neglected a very important point about security that this worm brings to light. A bunch of “professionals” who should know better have their SQL Servers effectively connected to the Internet directly. There are worse things that could happen. Like hackers could access (or change) the data on those SQL Servers.
What is to stop the hackers from doing so?
1. The hackers don’t know the servers are out there.
2. The hackers don’t know the user names and passwords
required to access the data.
Given that this worm causes the servers to advertise their vulnerability, now everybody on the net knows where they are. Aren’t we glad that users always choose secure passwords that can’t be easily guessed? (Oops, they don’t, do they?)
To be fair, even if MicroSoft has changed their tune on security it will take years for this to really take effect. This most recent attack and the nimda one before it are as much an attitude problem as a problem with the software. Neither of these attacks should have been nearly as effective as they were. Reminds me of a study I did while at Nasa in the early 90’s where we went and tried to break into the unix servers using the default admin passwords. We were able to get into almost 70% of all the servers just using the password the boxes were delieverd with.
I believe a big part of the problem is MS servers, especially SQL Server, are just too easy to setup and get running with reasonable performance. I know many companies that run SQL Server databases that are administered by Programmers/Managers with no admin experience while nobody would consider running an Oracle database without a trained and dedicated administrator at least on call (I work for one of these companies). You can get away with this because SQL Server setup is pretty much point and click and what you will get will work pretty well for most people and with 2000 its auto tuning feature actually works pretty well. Meanwhile if you don’t tune your Oracle box well you will end up with one lousy performing box.
I thought that to some extent these things (administering systems) were NOT supposed to be easy. Or is it that the MS patches for SQL Server were breaking precvious fixes?
Or is it a combination of the two?
There were “cumulative” MS patches that were less than cumulative, and if you installed the patch they didn’t include, you broke the security fix, yes. And the patches, up until Sunday, were a pain to install.
But Dave and Joe are right: One of NT’s selling points has been that basically any idiot can install it and very quickly have something that works. Systems with a steeper learning curve force you to know your system pretty well. I’ll admit, learning Linux was a very painful experience for me, and sometimes I still get in over my head, but I know a whole lot about how the system functions. And the main reason I know about NT’s internals is because I learned OS/2 first, and OS/2 had a lot less handholding but since NT was descended from it, that stuff applied.
So NT’s selling point has been a problem for it also. Lots of people administering those systems who really ought not be sysadmins.
But while the server is easy to set up, it was very difficult to install the original version of this particular patch. Without a good grasp of the command line it was a royal pain to do.
Take all that and throw in cryptic documentation, and I have a hard time coming up with a better recipe for disaster.
I dunno, Dave. Could you add an ice cream truck to that disaster recipe?
So that my last comment makes sense (my HTML-like epilogue was dutifully clipped): this is obviously an inside joke. So inside that Dave hasn’t even told me what the ice cream truck is all about…
The ice cream truck is a disaster all on its own…