SQL Sapphire: It's Not Only Microsoft's Fault

The massive worm attack that surfaced last month using Microsoft's SQL Server 2000 was certainly a nasty one. Reports on various lists claimed that packet loss on NAPs (network access points) reached 90 percent. Those of you who don't manage Microsoft SQL servers but were hit by this worm should be annoyed at your colleagues who didn't stay on top of patches.

Predictably, a lot of Microsoft bashing is going on. But you know what? You really have to stop blaming Microsoft for every little ill that comes your way. Take some responsibility. Yes, this was another problem with a Microsoft product, but a patch has been available since last June.

It looks like Next Generation Security Software (which discovered this vulnerability) took the correct, responsible disclosure route. The company's researchers found a problem, notified Microsoft, worked with Redmond to solve the problem and then announced its findings.

Why wasn't the patch installed in your organization? You should be open to all possibilities. If you expect your systems administrators to perform the assessment and installation of Microsoft hot fixes, you need to look closely at their workload and the volume of hot fixes Microsoft turns out. Look with open eyes into why the patch wasn't installed, and do whatever it takes to fix it. This is simple risk management. Hackers know that Microsoft technology is both widespread and vulnerable. You should face that reality also, and do whatever it takes to protect your organization.