The Sapphire worm that hit servers running Microsoft SQL this weekend was a wake-up call for anyone who thought the Internet had become a safer place following increased attention by corporate and government leaders.
In the largest such incident since the Code Red and Nimda worms swamped servers in 2001, the Sapphire worm--also known as Slammer and SQLExp--infected more than 120,000 computers and caused chaos within many corporate networks. Some Internet service providers in Asia were overwhelmed.
The small but malicious program rapidly exploited a six-month-old flaw in Microsoft SQL servers, underscoring a dirty secret in the IT industry: software bugs are common and administrators are slow to fix even widely publicised problems, said Johannes Ullrich, director of the security information site Incidents.org.
"Companies should have been ready for (the worm)," he said. "That patch should have been applied--it's six months old now."
The worm started spreading about 9:30pm PST last Friday, just one day after Microsoft chairman Bill Gates sent a memo to customers stating that the company had "accomplished a lot" in its first year of its Trustworthy Computing initiative.
For much of the first year, the company has focused on increasing the security of its products.
It also came just days after the General Accounting Office, the auditing arm of Congress, said the US government has spent at least US$2.9bn (£1.8bn) in 2002 on information technology related to homeland security. The same amount is expected to be spent again this year.
Because the worm exploited an old flaw, security experts directed only moderate criticism at Microsoft, choosing instead to focus on administrators who have failed to patch their software.
"I don't think people can really hold Microsoft at fault for this worm," said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security, one of the first groups to release an analysis of the worm. While Microsoft did release flawed software, they fixed that flaw many months ago, he said. "Customers have been able to protect themselves," he stressed.
For a variety of reasons, however, companies with Microsoft SQL (pronounced "sequel") servers didn't apply the patches. Moreover, the affected companies also had vulnerable servers that were accessible via the Internet, a disaster waiting to happen.
"Some administrators might be at fault, but then some corporate managers might be at fault for understaffing, under-budgeting, and under-empowering their IT staff to be able to handle the security of their network," Maiffret added.
6%
2%
