Slammer Worm - Q&A - 27/01/03 (2)

Q. Why are you just patching these now?
A. The vulnerability that is exploited by this worm was first addressed by Microsoft in July of 2002 as security patch MS02-039 and in subsequent patches, most recently MS02-061, which was released in October of 2002. These updates were also included in the recently released SQL Server 2000 Service Pack 3 (SP3). We have also created an update to MS02-061 that includes an improved installer as well as recommended fixes that were also released in October as Q317748, found on http://support.microsoft.com/.

Q: Are the patches from last summer sufficient?
A. Customers who deployed the SQL Server patch last summer are protected from the Slammer attack but additional defenses against other known exploits appear in the October patch, MS02-061. Microsoft recommends customers deploy the updated MS02-061 immediately. Customers who have already installed MS02-061 from October and the QFE patch Q317748 do not need to install the updated MS02-061. Ideally we recommend that customers download, test and deploy SP3 for SQL Server 2000. SP3 can be found on http://www.microsoft.com/sql.

Q: Why did Microsoft re-release MS02-061
A. MS02-061 was re-released to include an installer that eliminates the need for system administrators to manually configure the files for the patch. The re-released MS02-061 patch also includes a QFE patch Q317748. Both of these changes were made to make it easier for system administrators to configure their systems in line with Microsoft’s commitment to “secure in deployment” as part of the Trustworthy Computing Initiative. The binaries included in the updated MS02-061 are identical to the combination of the original MS02-061 and the Q317748 QFE. Customers who have deployed the original MS02-061 with or without Q317748 are protected from the Slammer virus. Customers who install SQL Server 2000 SP3 do not need to install MS02-061.

Q: What proactive actions should customers have in place to ensure this type of thing doesn’t happen again?
A. Microsoft recommends that all customers follow at least three general practices to help protect their systems from attack :
· Maintain all systems with the latest patches and service packs available from Microsoft Corporation
· Run anti-virus software with the most current signature files deployed throughout the network.
· Use a firewall to securely manage all Internet access

Q. Was this an attack?
A. Yes, we are treating this as a criminal act and are working with law enforcement authorities.

Q: Was this a denial of service attack?
A: Yes, but to our knowledge it was not targeted at any individual site or entity.

Q. How does the worm work?
A. The worm seeks to exploit a buffer overrun in SQL Server 2000.

Q: Do you know who, how and why?
A: No, but this is a malicious hacker attack and we are working with appropriate law enforcement authorities.

Q. Was this related to terrorism?
A. You would need to talk to the Homeland Security Office.

Q. What is the impact on consumers and home users?
A: We are not aware of any impact to the PCs for individuals and typical home users other than slow internet traffic or sites that couldn’t be viewed.

Q: How do customers/users know if they are affected?
A. Your network would be overloaded.

Q: Was there a hole in SQL Server software?
A. There was a vulnerability in the initial SQL Server 2000 code, which Microsoft provided an update for on several different occasions over the past year.

Q: I heard that customers trying to get to the site to download the patches couldn’t get the patch due to high volume of traffic. Is this true? What caused this?
A. Like the rest of the internet, we experienced delays. However, we proactively contacted premier customers to provide support. And, as always, customers can contact us for support on virus issues free of charge.

Q: If customers can’t get to the site because the Net is down for them, what is MSFT doing to help them?
A. In anticipation of increased customer demand, we made additional resources available and increased bandwidth on microsoft.com. We have not heard of widespread access problems to date.

Q: What customers have been impacted so far? How Many?
A. We are currently focused on promoting patch uptake among all of our customers to stop the propagation of this virus. We cannot discuss specific customer support cases.

Q: Were any DOD/Pentagon customers affected? If so, who and how?
A. We cannot comment on our customers’ networks – you’d have to contact DoD directly.

Q: I heard that 13,000 ATM machines from Bank of America (and perhaps others) were not available as a result of the virus attack?
A: We cannot comment on our customers’ networks – you’d have to contact them directly.

Q: What MSFT related sites were impacted? MSN? MSNBC?
A. Like the rest of the internet, all Microsoft sites experienced some delays.

Q: Was MSFT’s network affected?
A. Like the rest of the Internet, our network experienced delays throughout the day.

Q: Was the entire MSFT network patched?
A: We did not have 100% of our machines patched.

Q: Why were they not patched?
A: In some circumstances it is because developers and testers are purposely not patching systems so we can test various customer configurations and replicate their experiences for testing purposes. But otherwise, we struggle with the same issues as the rest of the industry. Individuals make patch deployment decisions based on a variety of reasons such as time management and oversight. As part of our TWC initiative we have committed to simplifying and streaming the patch management process because at the end of the day we need to make it easier to reach 100% patching.

Q: How can MSFT expect its customers to heed your advice on implementing critical security fixes & updates when MSFT’s own IT group ignores the same advice?
A. To begin, we had a very high percentage of operation systems that were patched. But like the rest of the industry we struggle to reach 100%. However incidents show the importance of having a very good patch management system and process. But at the end of the day, it is still critical that systems are patched.

Q. How could this happen again? Why are people still not applying fixes?
A. Patch uptake is actually increasing. With the introduction of tools such as Windows® Update, Microsoft Baseline Security Analyzer (MBSA), and Auto Update, more customers are applying patches then ever before. But more work must be done. That is why we started Trustworthy Computing and why securing systems in deployment is a key tenet.

Q: I heard that product activation for Windows XP customers was impacted by this attack. Is this true? If so, why and how was it impacted?
A. Yes, as a result of slowed traffic on the network, customers have had difficulty activating their products. However, customers have 30 days to activate Windows XP and 50 grace launches for Office XP.