Microsoft warns of Slammer morphs

Future versions of Slammer may get you if you don't update, says Microsoft, chastened by its own failure to keep all SQL Server patches up to date

Microsoft suffered, along with users, in this week's Slammer virus outbreak this week because it has a loose desktop security policy, admitted a Microsoft security officer. He also warned that Slammer variants could attack in future.

"Morphs of Slammer could cause more problems," said Stuart Okin, Microsoft UK's chief security officer. "Slammer had no payload, so there was no clean-up required. Systems could be switched off and on again. It was just a denial-of-service attack." These variants will not get past patches that fix the underlying vulnerability, but they could infect systems that have specifically block Slammer.

The company suffered an outbreak of the Slammer worm which affects SQL Server, even though a patch existed that could prevent the virus. In a conference call with users later on Friday, Microsoft will explain the lessons it has learnt from the attack, and what it -- and users -- should do to minimise future outbreaks.

"You can't blame users for not keeping security patches up do date," said Okin. "Updates involve database and systems administrators and have to be programmed in."

Microsoft suffered no problems in its service to customers, said Okin, because public servers were all patched up to date. However, its internal networks were swamped with traffic, because many employees run their own servers, and many were vulnerable to Slammer. Because Microsoft staff have a high level of expertise in the company's products, the problem was quickly fixed, said Okin.

"We have a loose desktop security policy," said Okin, explaining that this allows Microsoft staff the flexibility to help users at different stages. "We also have a good user base so we can recover quickly from such problems."

Companies that do not need that flexibility would do well to apply a more stringent desktop policy, he suggested. "We really encourage users to go to (SQL Server) Service Pack 3," he said. "This fixes all known vulnerabilities."

Microsoft currently has too many approaches to patch management -- the process of updating all systems on a network to the same level -- but this must be simplified, said Okin. Currently, applications are patched through a different process to operating systems. XP users have an automatic update feature, which has a business version called Software Update Services, and Microsoft's management products include other patch management methods.

"We will consolidate the process to make sure it is consistent -- for instance having all the command line switches the same for installation," said Charney. Microsoft issued a SQL Server patch last year that could actually open the Slammer hole if installed in the wrong way.

Many customers with service contracts raised the issue of Slammer with Microsoft, said Okin, and all major customers had a call from technical account managers. "Everyone else had free support from the helpline," he said.

This is the last item in a week of responses from Microsoft. On Saturday evening, the day of the Slammer outbreak, Microsoft issued advice on how to fix the vulnerability. On Tuesday, it issued a tool to examine servers and see if they are vulnerable. On Wednesday, the comany issued a "band-aid" for customers still on Service Pack 1.

"The band-aid is specific to Slammer, and should be only a stop-gap," said Okin. Although Service Pack 2 has been out for a year, many users have not updated to it yet, and installing two service packs will require a lot of testing and work by IT departments, he said. Customers on Service Pack 1 should install the band-aid first, and move to newer versions as soon as possible, he said.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.