"Morphs of Slammer could cause more problems," said Stuart Okin, Microsoft UK's chief security officer. "Slammer had no payload, so there was no clean-up required. Systems could be switched off and on again. It was just a denial-of-service attack." These variants will not get past patches that fix the underlying vulnerability, but they could infect systems that have specifically block Slammer.
The company suffered an outbreak of the Slammer worm which affects SQL Server, even though a patch existed that could prevent the virus.
"You can't blame users for not keeping security patches up do date," said Okin. "Updates involve database and systems administrators and have to be programmed in."
Microsoft suffered no problems in its service to customers, said Okin, because public servers were all patched up to date. However, its internal networks were swamped with traffic, because many employees run their own servers, and many were vulnerable to Slammer. Because Microsoft staff have a high level of expertise in the company's products, the problem was quickly fixed, said Okin.
"We have a loose desktop security policy," said Okin, explaining that this allows Microsoft staff the flexibility to help users at different stages. "We also have a good user base so we can recover quickly from such problems."
Companies that do not need that flexibility would do well to apply a more stringent desktop policy, he suggested. "We really encourage users to go to (SQL Server) Service Pack 3," he said. "This fixes all known vulnerabilities."
Microsoft currently has too many approaches to patch management -- the process of updating all systems on a network to the same level -- but this must be simplified, said Okin. Currently, applications are patched through a different process to operating systems. XP users have an automatic update feature, which has a business version called Software Update Services, and Microsoft's management products include other patch management methods.
"We will consolidate the process to make sure it is consistent -- for instance having all the command line switches the same for installation," said Charney. Microsoft issued a SQL Server patch last year that could actually open the Slammer hole if installed in the wrong way.
Many customers with service contracts raised the issue of Slammer with Microsoft, said Okin, and all major customers had a call from technical account managers. "Everyone else had free support from the helpline," he said.
That was the last item in a week of responses from Microsoft. On the day of the Slammer outbreak, Microsoft issued advice on how to fix the vulnerability. On Tuesday, it issued a tool to examine servers and see if they are vulnerable. On Wednesday, the comany issued a "band-aid" for customers still on Service Pack 1.
"The band-aid is specific to Slammer, and should be only a stop-gap," said Okin. Although Service Pack 2 has been out for a year, many users have not updated to it yet, and installing two service packs will require a lot of testing and work by IT departments, he said. Customers on Service Pack 1 should install the band-aid first, and move to newer versions as soon as possible, he said.
