Other Microsoft Programs Said at Risk for Web Worm
Posted by Steven Parker on 26 January 2003 - 10:43 · 5 comments & 573 views
About the Author
Full name: Steven Parker
Forum name: Neobond
Contact: via forum PM
Submissions: Normal · Headline
Full name: Steven Parker
Forum name: Neobond
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
#1 Posted by Neobond on 26 Jan 2003 - 11:08
- Its annoying to think that software sold onto consumer markets has the capability to bring the Internet to its knees due to bugs and lack of patching/updates. So simple and to think that the people who set this off played off admins who could of patched up last July (yep July 2002)
-
#2 Posted by Tom Servo on 26 Jan 2003 - 13:30
- [quote]- ---------------------------------------------------------------------- Title: Elevation of Privilege in SQL Server Web Tasks (Q316333) Released: October 16, 2002 [b]Revised: January 26, 2003 (version 2.0)[/b] Software: Microsoft(r) SQL Server(tm) 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000. Impact: Elevation of Privileges Max Risk: Critical Bulletin: MS02-061 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-061.asp - ----------------------------------------------------------------------[/quote] The first patch was out in July 2002, but did mess up some operations. The patch from October was a full fix. Still are there three months were noone cared a flying fuck. Nice huh?
-
(1 reply)
#3 Posted by aaje on 26 Jan 2003 - 16:21
- Sigh, what mr Charney neglects to mention, is that some of their oh so needed hotfixes many times interfere with applications! Especially with databases, you don't want to run an update and afterwards find out that your whole application needs to be rewritten. THAT'S a big issue with most admins, as they don't know if their app still works after an update. So many times, they prey that the bug isn't bad enough.. That's right folks: You're damned if you do, and you're damned if you don't. I had the issue with one of our servers when we installed the mdac patch in November.. Customers' website wouldn't work anymore. And OFCOURSE this patch didn't have a rollback feature. Thankfully we could restore the old dll's from backup..
-
#4 Posted by JaggedFlame on 26 Jan 2003 - 21:13
- [quote]Microsoft's SQL (pronounced 'sequel') Server 2000[/quote]
WTF?
Microsoft Corp. said on Saturday that a virus-like attack against its key database software, which slowed Internet traffic around the globe, could spread to its other less frequently used programs unless users protected themselves with key software updates.
Although the spread of the computer worm had passed its peak and was coming under control, Microsoft Chief Security Strategist Scott Charney urged companies, the main buyers of Microsoft's SQL (pronounced 'sequel') Server 2000 and other related programs, to download security patches from the world's largest software maker's Web site.
"It was a vulnerability. We knew about it, but someone is exploiting it," Charney told Reuters, "We want our customers to be as secure as possible and install the patches."
In the worst widespread Web attack in a year and a half, the worm clogged network pipelines around the globe, nearly shutting down Internet providers in South Korea, disrupting a majority of Bank of America Corp.'s automatic teller machines and made online surfing and e-mail access difficult.
A key component of the SQL Server software, called "Microsoft SQL Server 2000 Desktop Engine," is particularly vulnerable to the malicious computer worm, which quickly propagates itself and seeks out other systems to infect.
Since MSDE is deployed not only in SQL software but in other programs used for software development, such as Visual Studio .NET and Office XP Developer Edition, it could spread beyond the database servers, Charney said.
"The unfortunate thing about this is when you know that this was a problem and they (customers) hadn't updated," Charney said, "That's a bit frustrating."
Charney was hired by Microsoft nearly a year ago, just when Chairman and co-founder Bill Gates issued a mandate that the company focus on "Trustworthy Computing," a campaign aimed at making its software more protected, secure and reliable.
Charney said Saturday's attack "showed how relevant that policy was."
"To respond to those threats, we need cooperation," Charney said.
Patches, or fixes, for programs using MSDN as well as for SQL are available on Microsoft's TechNet support page (http:/www.microsoft.com/technet), the company said.