Other Microsoft Programs Said at Risk for Web Worm

Yahoo/Reuters ^ | Sat Jan 25, 8:41 PM ET | Reed Stevenson

[Dominic Harr]

SEATTLE (Reuters) - Microsoft Corp. said on Saturday that a virus-like attack against its key database software, which slowed Internet traffic around the globe, could spread to its other less frequently used programs unless users protected themselves with key software updates.

Our Business Section is growing! Check new sections for: Stock Markets, Earnings, Economy and more... Business Front

Although the spread of the computer worm had passed its peak and was coming under control, Microsoft Chief Security Strategist Scott Charney urged companies, the main buyers of Microsoft's SQL (pronounced 'sequel') Server 2000 and other related programs, to download security patches from the world's largest software maker's Web site.

"It was a vulnerability. We knew about it, but someone is exploiting it," Charney told Reuters, "We want our customers to be as secure as possible and install the patches."

In the worst widespread Web attack in a year and a half, the worm clogged network pipelines around the globe, nearly shutting down Internet providers in South Korea (news - web sites), disrupting a majority of Bank of America Corp.'s automatic teller machines and made online surfing and e-mail access difficult.

A key component of the SQL Server software, called "Microsoft SQL Server 2000 Desktop Engine," is particularly vulnerable to the malicious computer worm, which quickly propagates itself and seeks out other systems to infect.

Since MSDE is deployed not only in SQL software but in other programs used for software development, such as Visual Studio .NET and Office XP Developer Edition, it could spread beyond the database servers, Charney said.

"The unfortunate thing about this is when you know that this was a problem and they (customers) hadn't updated," Charney said, "That's a bit frustrating."

Charney was hired by Microsoft nearly a year ago, just when Chairman and co-founder Bill Gates (news - web sites) issued a mandate that the company focus on "Trustworthy Computing," a campaign aimed at making its software more protected, secure and reliable.

Charney said Saturday's attack "showed how relevant that policy was."

"To respond to those threats, we need cooperation," Charney said.

Patches, or fixes, for programs using MSDN as well as for SQL are available on Microsoft's TechNet support page (http:/www.microsoft.com/technet), the company said.

[Dominic Harr]

'Sell the beta, and you can get the public to pay for your product testing.'

[Dominic Harr]

An 'MS Quality Seal of Approval' ping.

[Dominic Harr]

The service pack to fix this has only been out around a week, so be careful installing it. Always test first, on a box that you can live without.

Sometimes these service packs break other things.

[Clara Lou]

Gee, I hope FR's great Lion of Microsoft is going to drop by and give us a few of his standard friendly comments on the greatness of MS.

[Dominic Harr]

Knock knock.

I wonder if the timing of this also had anything to do with the SuperBowl?

There'll be a lot of web traffic during the SB, without a doubt.

I doubt it, I guess. Just something to muse about.

[Dominic Harr]

" FR's great Lion of Microsoft "

:-D

[ShadowAce]

"It was a vulnerability. We knew about it, but someone is exploiting it," Charney told Reuters,

They knew about, but didn't fix it. Pretty sad.

[TaRaRaBoomDeAyGoreLostToday!]

"It was a vulnerability. We knew about it, but someone is exploiting it,"

The statement of the year. Lemme rephrase with out the < / microsoft bs spin > on.

"It was a vulnerability major flaw in our garbage can system. We knew about it we could care less, we are lazy sitting around making good money playing golf online, but someone is exploiting it, $hit we got cought, how dare someone come in our back door when we left it wide open with snow and wind blowin in, while we sat on our a$$es, by the fireplace all warm."

[isthisnickcool]

Gads! This SQL bug has been around for a long time.

[Dominic Harr]

There was a patch. But I thought the patch was only for SQLServer, I didn't realize it was required for other products too.

It turns out the exploit is caused by a deeper flaw in MS products.

[TaRaRaBoomDeAyGoreLostToday!]

Related Thread

[Dominic Harr]

Thanks, there were about a 1/2 dozen on the issue, I noticed.

Altho this is really a new wrinkle in the story -- it's not just SQLServer, as they had been saying up until now.

[TaRaRaBoomDeAyGoreLostToday!]

Exactly. If we link em all together we will know the whole story and facts.God knows the news is blurbing this with bits and pieces here and there.

[HAL9000]

"The unfortunate thing about this is when you know that this was a problem and they (customers) hadn't updated," Charney said, "That's a bit frustrating."

Perhaps Microsoft's customers are becoming a bit frustrated with the daily security bulletins and patches. The unfortunate thing is that Microsoft knows they have a problem with designing and distributing commercially defective software, but fails to address the fundamental cause - their own sloppy development practices and denial of responsibility.

[Bloody Sam Roberts]

I would count on it.

[Dominic Harr]

The thing that most amazes me is that in *current, shipping* products they aren't forced to recall the CDs and reissue 'fixed' versions.

People who buy and install these products *today* are buying and installing a broken product.

[mumbo]

They did fix it. There is a free update/patch at their website.

When you write YOUR first error-free, perfectly secure operating system/application, you can be as snide as you want.

Until then, remember that it can happen to anyone, and people who use systems that are connected to the Internet should watch all of the usual sites for warnings and alerts.

Microsoft isn't as careful as I think they should be, and God knows their code isn't very tight, but they are the kingpin, and our choice is to make the best of the hand we are dealt. This means if you are functioning perfectly well with older, proven software, there is no reason to go to the new software until it is proven.

[TaRaRaBoomDeAyGoreLostToday!]

INTERNET NEWS
Net virus takes down ATMs
Thousands of bank customers frozen out by worm

---

Posted: January 26, 2003
1:00 a.m. Eastern

---

© 2003 WorldNetDaily.com

Thousands of banking customers were shut out of their ATMs yesterday and websites around the world were knocked down yesterday by a malicious computer worm.

Bank of America Corp. said yesterday that customers at a majority of its 13,000 automatic teller machines were unable to process customer transactions after the virus nearly froze Internet traffic worldwide.

Bank of America spokeswoman Lisa Gagnon told Reuters by phone from the company's headquarters in Charlotte, North Carolina, that many, if not a majority of the No. 3 U.S. bank's ATMs were back online and that their automated banking network was back in business.

Web traffic slowed suddenly and dramatically worldwide for hours after a fast-spreading computer worm clogged pipelines of the global network carrying data, Web pages and e-mail.

''We have been impacted, and for a while customers could not use ATMs and customer services could not access customer information,'' Gagnon said.

Gagnon said that the worm, which slows down computer networks by replicating rapidly and spreading to other servers, did not cause any damage to customer information, but slowed down or blocked access to that sensitive information, making transactions difficult.

---

[Dominic Harr]

This means if you are functioning perfectly well with older, proven software, there is no reason to go to the new software until it is proven.

Just thought that bore repeating.

*Never* use a new version of *anything* for mission-critical use.

From *anyone*.

Period.

[isthisnickcool]

Well, that may be true but people are not protecting their systems. Like having the common sense to password setup in the case of SQL Server.