As you're probably aware, a massive worm attack using Microsoft's SQL
Server 2000 surfaced over the weekend. It's a nasty worm; reports on
various lists claim packet loss on NAPs (network access points)
reaching 90 percent. Those of you who don't manage Microsoft SQL
servers but were hit by this worm should be annoyed at your colleagues
who didn't stay on top of patches or properly manage and maintain your
company's servers.
Certainly, a lot of Microsoft bashing is going on. But you know what?
You really have to stop blaming Microsoft for every little ill that
comes your way. Take some responsibility. Of course, this
was--another--problem with a Microsoft product, but a patch has been available
since June 24, 2002. That's what, almost seven months. Say it with me
now, s-e-v-e-n long months.
Now, it seems to me that Next
Generation Security Software Ltd., which discovered this
vulnerability, took the correct, responsible disclosure route: The
company's researchers found a problem, notified Microsoft, worked with
the developers in Redmond to solve the problem and then announced its
findings. I don't think exploit code was even in the wild, so you can't
blame this attack on script kiddies.
The fault for this weekend's debacle falls at the feet of the person in
your organization who manages your SQL servers. The only people who are
blameless are those who tried to install the patch and found that it
broke some critical functionality. These people rightfully--for obvious
business reasons--could not install it. Otherwise, you don't have a leg
to stand on. It's just irresponsible. Period. No excuses.