Microsoft AppCenter and W32/SQLSlammer

From: Mike Hays (cpunews@HOTMAIL.COM)
Date: 01/26/03

  • Next message: Russ: "Batch file to install SQL Server patches" 
    Date:         Sun, 26 Jan 2003 00:19:45 -0500
From: Mike Hays <cpunews@HOTMAIL.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Russ,
    People may not be aware that Microsoft AppCenter 2000 uses MSDE, and that
    due to the way the two are integrated, the AppCenter MSDE instance
    (MSSQL$MSAC) _cannot_ be patched except through an AppCenter service pack.
    The last service pack came out October 2001 and the next one isn't due until
    the release of Windows Server 2003. That is a long time between patching!

    I have given PSS and the TAM for the company I consulted at a hard time
    about this, and they have always assured me that this MSDE instance isn't
    susceptible to attack since it is self-contained. I never liked this answer
    and didn't believe it (for good reason), but couldn't get a solution. Now
    the SQLSlammer worm appears to have proven that AppCenter isn't invulnerable
    to MSDE vulnerabilities, and that Microsoft needs to remedy this situation
    immediately.

    The AppCenter instance of MSDE does listen on UDP 1434, and while I have not
    witnessed a compromised system myself (that's a good thing), there is at
    least one poster to Usenet who claims he was attacked through the AppCenter
    instance of MSDE (see link below).

    Please do what you can to warn people about this problem and exert any
    pressure you can on Microsoft to correct this issue. Since many AppCenter
    installations reside in DMZs, this could be serious.

    Thanks,
    Mike Hays

    Usenet Poster claiming compromise:
    http://groups.google.com/groups?dq=&hl=en&lr=lang_en&ie=UTF-8&oe=UTF-8&group=microsoft.public.applicationcenter.admin&selm=079201c2c4aa%241877e430%248df82ecf%40TK2MSFTNGXA02100 (CET)

    _________________________________________________________________
    The new MSN 8: smart spam protection and 2 months FREE*
    http://join.msn.com/?page=features/junkmail

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • Delete job running in MSDE instance of MSSQL$SBSMONITORING
      ... a production CRM software and database called Junxure to it. ... unable to create a new MSDE instance on the machine that day so I ... With this software comes MSDE ... I created a couple of daily backup jobs for the db using MSDE ...
      (microsoft.public.windows.server.sbs)
    • Re: Security Implementation????
      ... Because of my recent upsizing to MSDE, ... > In the logins node of my MSDE instance I have 2 users: ... > In my db node my windows account is mentioned as owner. ... I want to distribute the database and I want to make the BE as secure ...
      (microsoft.public.access.adp.sqlserver)
    • RE: SQL Connection Problems
      ... I am not sure whether those 10-15 users will interact with MSDE instance at ... five concurrent workload batches in progress. ...
      (microsoft.public.sqlserver.connect)
    • Re: MSDE and SQL 2000 on same box..which is being used?
      ... An MSDE instance should be visible as its own SQL Server registration under ... MSDE does not come with the graphical tools, such as Enterprise Manager etc. ...
      (microsoft.public.sqlserver.msde)