Re: Microsoft notice on W32.Slammer
From: Steve Kass (skass@drew.edu)
Date: 01/26/03
- Next message: Mike Forman: "Windows Update for SQL Server"
- Previous message: Steve Kass: "Re: sqlservr.exe doesn't stop"
- In reply to: Shawn Aebi [MS]: "Microsoft notice on W32.Slammer"
- Next in thread: Shawn Aebi [MS]: "Re: Microsoft notice on W32.Slammer"
- Reply: Shawn Aebi [MS]: "Re: Microsoft notice on W32.Slammer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jan 2003 02:42:12 -0500 From: Steve Kass <skass@drew.edu>
Shawn,
I think the folks in m.p.applicationcenter.admin would like to know
what to
do, since they've been told not to install these security patches and
wait instead
for the next AC service pack.
SK
Shawn Aebi [MS] wrote:
>can be found at
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
>virus/alerts/slammer.asp
>
>PSS Security Response Team Alert - New Worm: W32.Slammer
> SEVERITY: CRITICAL
>
> DATE: 1/25/2003
>
> PRODUCTS AFFECTED: SQL Server 2000 RTM, SQL Server 2000 SP1, SQL
>Server 2000 SP2, and Microsoft SQL Desktop Engine Version (MSDE) 2000
>
> **********************************************************************
>
> WHAT IS IT?
>
> The PSS Security Response Team is issuing this alert to inform
>customers about the W32.Slammer worm, which is currently spreading in the
>wild. You are not at risk unless you are running one of the above listed
>products. Customers are advised to review the information and take the
>appropriate action for their environments.
>
> This alert is primarily focused at business customers.
>
> IMPACT OF ATTACK:
>
> Denial of Service
>
> TECHNICAL DETAILS:
>
> The W32.Slammer is a memory resident worm that propagates via Port
>1434 utilizing a vulnerability that was patched in Microsoft Security
>Bulletin MS02-039. This bulletin was first available on July 24, 2002.
>
> This worm is designed to propagate, but does not appear to contain any
>additional payload.
>
> Please contact your Antivirus Vendor for additional details on this
>worm.
>
> PREVENTION:
>
> 1) This worm utilizes a previously-announced vulnerability as part of
>its infection method. The vulnerability used by the worm to infect machines
>is:
>
> http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
>
> Microsoft, however, recommends that customers install the most recent
>cumulative security patch for Microsoft SQL Server 2000 which is Microsoft
>Security Bulletin MS02-061 (which will also patch MSDE 2000), and which
>includes the fixes for the vulnerabilities that were announced in Microsoft
>Security Bulletin MS02-039. MS02-061 can be found here:
>
> http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
>
> This patch is also included in Microsoft SQL Server 2000 Service Pack
>3.
>
> Due to support issues with certain configurations customers should
>install Microsoft Security Bulletin MS02-061 using the following
>instructions:
>
> A) If you are running Windows NT 4.0 Server Service Pack 6a install
>the patch referenced in Microsoft Knowledgebase Q258437, the Microsoft
>Knowledge Base can be found at http://support.microsoft.com.
>
> B) Install the patch included in Microsoft Knowledgebase Q317748, the
>Microsoft Knowledge Base can be found at http://support.microsoft.com. If
>MS02-061 is already installed you should still install this patch, however
>click "No" at the prompt to overwrite files.
>
> C) Install the security patch associated with Microsoft Security
>Bulletin MS02-061
>
> 2) If you cannot apply this patch immediately, the following options
>can limit propagation:
>
> A) Block UDP port 1434 inbound and outbound traffic at your firewalls.
>
> B) You may also block UDP port 1434 inbound traffic on your Microsoft
>SQL 2000 Servers. Performing this instruction may result in support issues
>as this port performs name resolution.
>
> Installation of these patches will prevent infection by the
>W32.Slammer Worm.
>
> Microsoft is working on a method to allow customers to detect MSDE in
>their environment and will update this alert with that information once it
>is provided.
>
> RECOVERY:
>
> Instructions for Removal of W32.Slammer from infected Microsoft SQL
>Server 2000 Servers or Microsoft SQL Desktop Edition (MSDE 2000)
>
> 1. Stop the SQL Server Service
>
> 2. If you are running Windows NT 4.0 Server Service Pack 6a install
>the patch referenced in Microsoft Knowledgebase Q258437. The Microsoft
>Knowledge Base can be found at http://support.microsoft.com (this patch is
>being recommended due to support issues related to Microsoft Security
>Bulletin MS02-061 listed below).
>
> 3. Install the patch included in Microsoft Knowledgebase Q317748. The
>Microsoft Knowledge Base can be found at http://support.microsoft.com (this
>patch is being recommended due to support issues related to Microsoft
>Security Bulletin MS02-061 listed below). If MS02-061 is already installed
>you should still install this patch, however click "No" at the prompt to
>overwrite files.
>
> 4. Install the patch from Microsoft Security Bulletin MS02-061, which
>includes Microsoft Security Bulletin MS02-039. This patch is also included
>in SQL Server 2000 SP3.
>
> 5. Restart the SQL Server Service.
>
> If your need further assistance regarding this worm, please contact
>Microsoft Product Support Services, or your preferred antivirus vendor.
>
> RELATED KB'S:
>
> http://support.microsoft.com?kbid=813440
>
> An article will be made available within 24 hours.
>
> RELATED MICROSOFT SECURITY BULLETINS:
>
> The most recent cumulative security patch for Microsoft SQL Server
>2000, which includes the fixes for the vulnerabilities that were announced
>in Microsoft Security Bulletin MS02-039 can be found here:
>
> http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
>
> You may also install Microsoft SQL Server 2000 SP3 which includes the
>above mentioned security patches.
>
> As always please make sure to enable a firewall and use the latest
>Anti-Virus detection from your Anti-Virus vendor to prevent and detect new
>viruses and their variants.
>
> If you have any questions regarding this alert please contact your
>Microsoft representative or 1-866-727-7338 (1-866-PCSafety) within the US,
>outside of the US please contact your local Microsoft Subsidiary.
>
> PSS Security Response Team
>
>
>
>
>
>
- Next message: Mike Forman: "Windows Update for SQL Server"
- Previous message: Steve Kass: "Re: sqlservr.exe doesn't stop"
- In reply to: Shawn Aebi [MS]: "Microsoft notice on W32.Slammer"
- Next in thread: Shawn Aebi [MS]: "Re: Microsoft notice on W32.Slammer"
- Reply: Shawn Aebi [MS]: "Re: Microsoft notice on W32.Slammer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
