Behind the Scenes of the SQL Slammer Worm Virus

On Friday, January 24, at 9:30 P.M. Pacific time, an Internet attack began causing a dramatic increase in network traffic worldwide. Microsoft identified a worm virus called Sapphire or Slammer, which targets systems running either Microsoft SQL Server 2000 or Microsoft SQL Server Desktop Engine (MSDE). The Slammer virus is similar to a Denial of Service (DoS) attack in that it generates enough network traffic to bring the Internet to a standstill. Slammer doesn't attack SQL Server systems' data. Home users' machines typically aren't affected because their MSDEs aren't exposed to the Internet, but more than a million MSDEs are in production systems that are exposed to the Internet.

The irony of the Slammer crisis is that the vulnerability that the Slammer exploited was first corrected almost 7 months earlier by Microsoft Security Bulletin MS02-039 (Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution) and in the subsequent cumulative Microsoft Security Bulletin MS02-061 (Elevation of Privilege in SQL Server Web Tasks). In addition, these fixes were also included in SQL Server 2000 Service Pack 3 (SP3) and MSDE 2000 SP3. What does this tell us? Systems and Web administrators don't apply available security patches. Microsoft Internet Information Services (IIS) 6.0 in Windows Server 2003 will ship completely locked down with automatic patching enabled because administrators don't patch systems for reasons that include ignorance and being "too busy." The heavy traffic on the TechNet SQL Server security sites demonstrates the value of online communities in helping systems administrators respond quickly and effectively to threats.

Slammer was another black eye to the already battered Microsoft security effort. Most industry experts agree that security vulnerabilities on other platforms are high, but Microsoft still receives the brunt of attacks. Microsoft is an irresistible target for the type of person who spends his or her time trying to maliciously exploit security weaknesses and who wants bring the world's productivity to a screeching halt.

Behind the scenes at Microsoft on January 24, a response team worked to make sure its customers had the information and resources to get secure. When SQL Server and MSDE customers returned to work on Monday, January 27, they were able to receive customer support from Microsoft Product Support Services (PSS) in a short amount of time. Microsoft also swiftly assembled a development team to issue a rerelease of MS02-061 for SQL Server with automatic installation functionality. As of noon on Monday, Microsoft received about 21,000 download requests per hour for SQL Server-related patches, which included 14,000 requests per hour for SQL Server SP3 and 6800 requests per hour for the rerelease of MS02-061. Microsoft provides access to IT professional-focused public newsgroups through the TechNet site ( ). The public newsgroups on the TechNet site immediately had helpful information about what was happening with Slammer and how to fix the problem.

I depend on Windows Update to keep my client systems secure. You can get the Windows Update software by selecting Windows Update on the Tools menu in Microsoft Internet Explorer (IE), or you can go directly to the Windows Update site at . Andrew Brust, security expert and founder of Progressive Systems Consulting, said, "Patching is clearly a suboptimal solution for addressing security vulnerabilities, but it's the best way we have of protecting the current installed base of products." So why isn't SQL Server part of Windows Update? And, why isn't every Microsoft product part of Windows Update? Here's my bold prediction: The result of Slammer will be that every Microsoft product will become a part of Windows Update within the next 6 months. What are your thoughts about my prediction and the mechanics of how we might help to reduce the security vulnerabilities that continue to bite us? Email me and tell me your thoughts.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.