Re: SQL Server X Security Update for Service Pack 2

From: Chris Wood (chris.wood@gov.ab.ca)
Date: 06/12/02


From: "Chris Wood" <chris.wood@gov.ab.ca>
Date: Wed, 12 Jun 2002 13:53:26 -0600


Keith,

A security patch is unlikely to stop people using a blank password for sa.
Look at Q313418 on Microsoft's KB for what the worm is searching for.
Just a note.
On my Home PC, without SQL Server on it, I am getting a number of scans of
port 1433 showing in my Zonealarm log.
If you have a blank password and you are using port 1433 and it is open to
the wide world you have probably been found.

Chris Wood
Alberta Department of Energy
CANADA
"Keith Ashley" <keitham@javaz.net> wrote in message
news:d9f701c21226$a0ae2620$9ae62ecf@tkmsftngxa02...
> I am hoping that someone will be able to assist me with
> some clarification on an issue. In the latest SQL Server
> rollup fix, I thought that I heard about some kind of
> worm vulnerability that exploits blank "sa" passwords. I
> understand that having blank passwords is an
> extraordinary security vulnerability anyway but I did not
> implement this system. Also, the reason for the
> blank "sa" is that there is an application that is
> hardcoded to authenticate with a blank password. I am
> just clarifying that I do know better, back to my
> question, I thought that I read somewhere that this
> latest SQLSSRP is supposed to eliminate this
> vulnerability. Can anyone please shed some light on this
> or was I hallucinating when I thought I read this?
> Please help me, we have downed our app until we can get
> an answer. Thanks in advance for your help.
>
> Keith
>