The worm, also known as W32.SQLExp.Worm and DDOS.SQLP1434.A, exploited faults in Microsoft Corp’s SQL Server 2000 and Microsoft Desktop Engine 2000 products, causing delays in web traffic, disrupting bank teller machines, and bringing some service providers to a standstill.

Although the Slammer worm did not cause any lasting damage – it merely generated a large amount of traffic by continuously sending 376 bytes of code across port 1434/UDP until the SQL Server process was shut down – it could serve as a proof of concept for more malicious worm writers.

More than anything, the worm highlights the requirement for enterprises to implement patches for known problems. The vulnerabilities in Microsoft’s products that enabled the Slammer worm to spread so quickly were identified as critical by Microsoft in July and October 2002, and patches were made available.

Microsoft’s UK chief security officer, Stuart Okin, said the delay in some users deploying the patches was due to their own assessment of the associated risk. It’s always very easy for a supplier to say ‘just deploy the patch’, but there’s a lot of stages in risk assessment, in this case including application testing that users have to go through, he said. When you bring out a security patch, that will more often than not reduce functionality, and for an enterprise user, they will have to go through this risk assessment and make a call based on that.

Okin said that many users may have been waiting for the recent release of SQL Server Service Pack 3, which also fixed the problems, but encouraged users to respond to the threat now that the vulnerability had been exploited. This worm did not cause a lot of damage, he said, but we don’t know what’s going to come out subsequently.

Okin also said that Microsoft is currently putting together a program that would enable it to deliver patches for its products in a consistent manner. While operating system patches are delivered to users via its Software Update Services, Office patches can be downloaded from Microsoft’s Office web site, and patches for SQL Server are only available from Microsoft TechNet site.

We are putting a program in place for patch management, trying to reduce the amount of installers and have consistency in how we deliver patches irrespective of if it’s Office Windows, SQL Server, or whatever, Okin said.

Information on how to secure SQL Server against the Slammer virus is available from: http://www.microsoft.com/security/slammer.asp, as well as various anti-virus sites.

Source: Computerwire