[linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

Andrew akohlsmith-le@benshaw.com
Wed Jan 29 16:00:15 PST 2003


>   - Another number I've been pulling out of /dev/ass (mostly because
>     nobody's provided anything more useful) is that there are 10m Win2K
>     systems in existence.
>
>   - This means that the infected hosts were on the order of 1% of all
>     potential hosts.  That is, Microsoft users were attaining a 99%
>     patch and/or secure rate of systems publicly visible to the worm.
>     This is a pretty good compliance rate.  It was also wholly
>     inadequate in preventing this attack.

There are 10M win2k systems with SQL Server 2000 on them, or 10M win2k 
systems, some (I am willing to bet very small) percentage of which have SQL 
Server 2000 on them?   I also do not buy the next point:

>   - The MS SQL engine is incorporated into a large number of MSFT
>     products.  While not absolving guilt, it does help to explain why
>     so many exposed systems existed.  The overhead of knowing what
>     services exist on a given system, and of keeping these systems
>     patched, increases consequently.
>
>     http://www.microsoft.com/technet/security/MSDEapps.asp

While a drop in the bucket of 10M Win2k installs, The 100 or so that I am in 
direct or peripheral control over have nothing with the SQL Server 2000 
engine in them.  Not by design, but rather because the software running on 
them simply doesn't have it.  Remember that SQL Server 7, while vunlerable to 
a bazillion other attacks, was completely unaffected in this particular one.  
SQL Server 2000 is also not anywhere near a default install of Win2k.

Additionally, how many of the 10M systems have incoming ports open?  That is, 
how many hundreds of thousands of them are behind even simple NATting 
firewalls, sitting in offices in corporate America/insert_country_here?

I'm not usually a betting man, but I am willing to wager that the number of 
systems running SQL Server 2000 which were capable of receiving the exploit 
and were successfully exploited are a damned lot higher than the 1% you 
estimate.

Regards,
Andrew



More information about the linux-elitists mailing list