SQL Slammer worm
Letter to customers
Slammer Worm - Q&A - 27/01/03
Slammer Worm - Q&A - 27/01/03 (2)
Trustworthy Computing Security Update
Trustworthy Computing Security Update (2)
Mis en ligne le 29/01/2003
Retrouvez les dernières informations sur le Worm "SQL Slammer", publiées par Microsoft à la suite des incidents des 25/26 Janvier 2003. (Articles en anglais)
Letter to customers
To our customers:
On the evening of Friday January 24, 2003 Microsoft became aware of an Internet attack that was causing a dramatic increase in network traffic worldwide. We immediately began investigating the issue and learned that a worm, named Sapphire or Slammer, was targeting computers running Microsoft® SQL Server™ 2000 and MSDE 2000 systems. We were quickly able to determine that (a) the vulnerability was known and patches had previously been made available, and (b) there was no data corruption on customers' systems. The release of this worm is a criminal act, and we are working with law-enforcement authorities to the fullest extent possible.
We understand this worm has caused business disruption and we are committed to help our customers make sure their networks are as secure as possible from development through deployment.
Since the release of this worm, Microsoft has worked around the clock to pull together the information and resources necessary to ensure that customers are able to protect their affected systems. Complete information is located at http://Microsoft.com/security. We have extra staff on hand in Product Support to assist customers, and, of course, all support calls related to this issue are free of charge.
The vulnerability that is exploited by this worm was first addressed by a Microsoft security patch in July 2002 and in subsequent cumulative patches, most recently in October 2002. In addition, as part of our commitment to the secure in deployment goal of Trustworthy Computing, we have re-released the latest security patch to include an installer that makes it easier for system administrators to accelerate installation.
Going forward, Microsoft will continue to invest in developing a more secure and robust computing infrastructure as part of the Trustworthy Computing initiative. We will also work with network administrators to continue to improve our patch deployment process.
We realize that SQL Server is a critical component of our customer’s enterprise infrastructure. As a result, Microsoft recently executed a security push to proactively identify and remove security flaws in SQL Server 2000. These updates were recently delivered as part of SQL Server 2000 and MSDE 2000 service pack 3. Security pushes like this are part of our commitment to delivering on the vision of TWC by making our exiting products more secure by design, default and in deployment. As a result, we strongly recommend that you evaluate and adopt SQL Server service pack 3.
Trustworthy Computing is a long-term process and this latest incident reinforces both how reliant we are on the Internet and how much work remains to deliver security against malicious attacks such as this. We understand the importance of this issue and we continue to look for new ways to deliver quality updates in a timely and easy to deploy manner.
Slammer Worm - Q&A - 27/01/03
Q. I noticed that you removed the SQL Server eval software from your site. Why?
A. SQL Server 2000 Evaluation Editions are intended for short-term testing and should not be used in production environments. For this reason, the Evaluation Editions do not support security patches and service packs. Any computers running SQL Server 2000 Evaluation Editions should be kept in a test environment separate from network access.
A. SQL Server 2000 Evaluation Editions are intended for short-term testing and should not be used in production environments. For this reason, the Evaluation Editions do not support security patches and service packs. Any computers running SQL Server 2000 Evaluation Editions should be kept in a test environment separate from network access.
Q: Why were you not patched?
A: In some circumstances it is because developers and testers are purposely not patching systems so we can test various customer configurations and replicate their experiences for testing purposes. But otherwise, we struggle with the same issues as the rest of the industry. Individuals make patch deployment decisions based on a variety of reasons such as time management and oversight. As part of our TWC initiative we have committed to simplifying and streaming the patch management process because at the end of the day we need to make it easier to reach 100% patching.
Q: How can MSFT expect its customers to heed your advice on implementing critical security fixes & updates when MSFT’s own IT group ignores the same advice?
A. To begin, we had a very high percentage of operation systems that were patched. But like the rest of the industry we struggle to reach 100%. However incidents show the importance of having a very good patch management system and process. But at the end of the day, it is still critical that systems are patched.
Q: What happened?
A: At approximately 9:30 PM PST Friday January 24th, Microsoft became aware of an Internet attack causing a dramatic increase in network traffic worldwide. Microsoft immediately began investigating the issue and learned of a virus targeting SQL Server™ 2000 and MSDE 2000 machines not updated with the most current security patches.
Q. How serious is it?
A. This virus does not appear to attack the data of infected systems, but has had a wide impact on performance and availability. Typical home users’ machines, however, are not affected. We are working around the clock to ensure our affected customers are protected.
Q. What is the slammer worm?
A. The “Slammer” worm is an Internet worm targeting un-patched SQL Server 2000 and MSDE 2000 systems resulting in a high volume of network traffic on both the Internet and private internal networks.
Q. Yesterday you put up a statement saying you first heard about this at 12:30 a.m. and the changed it to 9:30 p.m. What happened?
A. It was a miscommunication internally. We meant to say 12:30 EST. We updated this today in order to be factually accurate.
Q. I hear that Microsoft’s network is experiencing significant delays. Is this a result of the worm? What happened?
A. Outside of our data system we have a lot of people testing different things including products and development. As a result, we did have several cases of machines that had not been updated. We are working diligently to update our network as well as assist our customers with any issues they’re facing.
Q . Which systems are impacted?
A. Microsoft SQL Server 2000 and MSDE 2000.
Q. What is MSDE 2000?
A. MSDE 2000 is a database engine that is included with several products from Microsoft and third parties. In most cases MSDE is offered as an alternative for customers who use these applications in situations that do not require the scale of SQL Server 2000. MSDE 2000 is not necessarily installed by default.
The following Microsoft products include MSDE but do not install it by default:
· Access 2002
· ASP.NET Web Matrix Tool
· MSDN® Universal and Enterprise subscriptions
· Office XP Developer
· SQL Server 2000 (Developer, Standard, and Enterprise Editions)
· Visual FoxPro® 7.0/8.0
· Visual Studio® .NET (Architect, Developer, and Professional Editions)
The following products include MSDE and install it by default:
· Application Center 2000
· Biztalk Server 2002 Partner Edition
· Host Integration Server 2000
· Network Appliance Group
· Project Server 2002 and 2003
· Retail Management System 1.0 and 1.1
· Small Business Manager 6.2 and 6.3
· Stress Tools v. 1.2
· Visio 2000 Enterprise Edition
· Visio Enterprise Network Tools (VENT)
· Windows XP Embedded Build Tool
It is important that customers who use products that include MSDE 2000 check to see if they have MSDE installed, and in the case that they do, to verify that their installation has been updated with the latest service pack and security bulletin to eliminate the vulnerability exploited by that Slammer worm. Instructions for checking for MSDE 2000 are at TechNet.
Q: What should impacted customers/users do?
A. We strongly encourage SQL Server 2000 and MSDE 2000 customers who have systems that have not been updated to immediately install the latest patch (MS02-061) or SP 3 to correct this vulnerability. Customers that have any ongoing issues should visit http://www.microsoft.com/security, contact the Microsoft Anti-Virus hot line at 1-866-PCSAFETY, Microsoft product support or your anti-virus vendor. Microsoft’s support for virus-related issues is, of course, always free. Methods for contacting support can be found at http://www.support.microsoft.com.
1
2
3
Suite
Note : les figures, codes sources et fichiers auquels fait référence l'article sont visualisables au sein de la rubrique Club Abonnés. Une fois authentifié dans le club, il vous suffit de rechercher le dossier concerné dans l'édition de ITPro Magazine publié en du Club Abonnés !
| 
Dossiers
Windows 
