Re: why the SQL patch didn't prevent this worm

From: Jonathan Boarman (jboarman@DCSINFOSYS.COM)
Date: 01/25/03

  • Next message: Chris Alliey: "Re: W32/SQLSlammer"
    Date:         Sat, 25 Jan 2003 14:12:42 -0600
    From: Jonathan Boarman <jboarman@DCSINFOSYS.COM>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    I blame Microsoft for the extent to which this worm has affected so many machines. While MS released a patch to fix this vulnerability roughly 6 months ago, the patch was *relatively* difficult to install (especially on MSDE). For most of us, we are used to installing a patch that executes for a minute or two and then may require a reboot. However, this patch required replacing DLLs and other files manually and then executing stored procedures to complete the patch. On MSDE machines, there are no visual client tools so one has to figure out how to run the command line tool (which may require making changes to the registry). Not only that, but as someone else pointed out, there are many apps which may be running their own copy of MSDE and each separate instance had to be manually patched!!

    The point here is that this patch was VERY different from what administrators are used to dealing with in terms of installing patches. Microsoft veered significantly from its normal patch methodology and that is why I blame MS for at least some number of infected machines. The admins of today are not the same admins of the code-red period (in terms of mind-set). Admins today are generally much more ambitious installing patches. However, when you ask admins to risk manually patching a machine OR wait a few months for the next Service Pack, many admins will wait, (as I suspect has happened here), for that next Service Pack to come out.

    Just my thoughts ... but I'm sure there are many that agree with this sentiment!

    -Jonathan

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo