SQL Saphhire: Woe to Those Who Don't Patch

As you're probably aware, a massive worm attack using Microsoft's SQL Server 2000 surfaced over the weekend. It's a nasty worm; reports on various lists claim packet loss on NAPs (network access points) reaching 90 percent. Those of you who don't manage Microsoft SQL servers but were hit by this worm should be annoyed at your colleagues who didn't stay on top of patches or properly manage and maintain your company's servers.

Certainly, a lot of Microsoft bashing is going on. But you know what? You really have to stop blaming Microsoft for every little ill that comes your way. Take some responsibility. Of course, this was--another--problem with a Microsoft product, but a patch has been available since June 24, 2002. That's what, almost seven months. Say it with me now, s-e-v-e-n long months.

Now, it seems to me that Next Generation Security Software Ltd., which discovered this vulnerability, took the correct, responsible disclosure route: The company's researchers found a problem, notified Microsoft, worked with the developers in Redmond to solve the problem and then announced its findings. I don't think exploit code was even in the wild, so you can't blame this attack on script kiddies.

The fault for this weekend's debacle falls at the feet of the person in your organization who manages your SQL servers. The only people who are blameless are those who tried to install the patch and found that it broke some critical functionality. These people rightfully--for obvious business reasons--could not install it. Otherwise, you don't have a leg to stand on. It's just irresponsible. Period. No excuses.

If you don't have time to read the advisories, you can < a href="http://register.microsoft.com/regsys/pic.asp">have them sent to you, or you can subscribe to alert newsletters like our own Security Alert Consensus.

Yes. Bite the bullet and get a stupid PassPort account. Have fun; just make sure you supply an e-mail address you actually read--or at least scan. And then put those patches and hotfixes into your calendar and roll them out.

For this particular problem, install the patch and don't forget any MSDE (Microsoft SQL Desktop Engine) deployments. Users with Visio or Visual Studio installed, to name two, will need to be patched. The patch only works with SQL Server Service Pack 2, which you can download here..

Otherwise, get SQL Server Service Pack 3.