Re: SQL Server X Security Update for Service Pack 2

From: Chris Wood (chris.wood@gov.ab.ca)
Date: 06/12/02


From: "Chris Wood" <chris.wood@gov.ab.ca>
Date: Wed, 12 Jun 2002 13:53:26 -0600


Keith,

A security patch is unlikely to stop people using a blank password for sa.
Look at Q313418 on Microsoft's KB for what the worm is searching for.
Just a note.
On my Home PC, without SQL Server on it, I am getting a number of scans of
port 1433 showing in my Zonealarm log.
If you have a blank password and you are using port 1433 and it is open to
the wide world you have probably been found.

Chris Wood
Alberta Department of Energy
CANADA
"Keith Ashley" <keitham@javaz.net> wrote in message
news:d9f701c21226$a0ae2620$9ae62ecf@tkmsftngxa02...
> I am hoping that someone will be able to assist me with
> some clarification on an issue. In the latest SQL Server
> rollup fix, I thought that I heard about some kind of
> worm vulnerability that exploits blank "sa" passwords. I
> understand that having blank passwords is an
> extraordinary security vulnerability anyway but I did not
> implement this system. Also, the reason for the
> blank "sa" is that there is an application that is
> hardcoded to authenticate with a blank password. I am
> just clarifying that I do know better, back to my
> question, I thought that I read somewhere that this
> latest SQLSSRP is supposed to eliminate this
> vulnerability. Can anyone please shed some light on this
> or was I hallucinating when I thought I read this?
> Please help me, we have downed our app until we can get
> an answer. Thanks in advance for your help.
>
> Keith
>



Relevant Pages

  • RE: worm
    ... Install the security patch from this link: ... Mike ... >Subject: worm ... Morganarm might have received ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Protection against worm
    ... Download EVERY security patch from Microsoft, especially the worm ...
    (microsoft.public.windowsxp.security_admin)
  • Re: WORM SASSER
    ... Further, and also like Blaster, this worm could not affect any ... McAfee AVert Stinger Virus Removal Tool ... > enough to download a security patch from the web. ...
    (microsoft.public.windowsxp.security_admin)
  • Setup Error
    ... I am trying to install the security patch ... for THE WORM. ... get an error message that states "setup could not verify ...
    (microsoft.public.windowsxp.security_admin)
  • Setup Error
    ... I am trying to install the security patch ... >for THE WORM. ... >get an error message that states "setup could not verify ...
    (microsoft.public.windowsxp.security_admin)