Slammer may not feed on Microsoft alone

Other companies' products that use the flawed Microsoft database software could have amplified the SQL worm's impact, say researchers.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Microsoft products may not be alone in contributing to the spread of the SQL Slammer worm, security researchers said Wednesday.

Other companies also make products containing the Microsoft database software that the worm has exploited. More than 30 products, from security scanners to backup servers, use the vulnerable Microsoft SQL Server 2000 and Microsoft SQL Desktop Edition (MSDE) 2000 software, according to a list compiled by database security site SQLSecurity.com.

"In most cases, it is probably a reduced danger," said Chip Andrews, an independent security consultant and the Webmaster for SQLSecurity.com. "If you have MSDE installed on an application, it's powerful. So you have to make sure to secure it."

Last weekend, many corporate networks slowed to a crawl after a fast-spreading computer worm infected database servers running vulnerable Microsoft software. Although the Redmond, Wash.-based company had issued a patch for the flaw six months earlier, more than 200,000 computers and information appliances were still not patched at the time of the attack and became infected, according to the latest estimates from security information site Incidents.org.

The compromised machines inundated local networks and the Internet with vast quantities of data, in an attempt to infect other systems. The deluge brought down banks' ATM networks and disrupted some phone services, and the effects were felt by many companies, including those in the airline and railroad industries.

Microsoft said that only SQL Server 2000 and MSDE 2000--including the retail, service pack 1 and service pack 2 versions--are affected by the Slammer worm. It released a list of products that included MSDE 2000 by default or by explicit instruction at the time of installation.

Other companies whose products use MSDE 2000 as a software component have, for the most part, been mum. While the individual products on the SQLSecurity.com list haven't been positively identified as vulnerable, some companies have acknowledged the security risk.

Storage server maker Veritas Software is included on the list. It told its customers earlier this week that its Backup Exec 9.0 for Windows Servers and ExecView 3.1 servers "may be susceptible to infection" by the worm.

Other companies said that their products included the Microsoft software in question, but that they had taken precautions to lock down the applications. For example, software company Internet Security Systems said that although both its RealSecure 7.0 and Internet Scanner included MSDE 2000, the products were configured to minimize any risk.

"Yes, we have MSDE, but it's not vulnerable," said Peter Allor, manager of the company's threat intelligence services.

That the security of most of the products on the list remains in question has left security researchers uncomfortable. Chris Wysopal, director of research and development for digital security firm @Stake, said that the lack of details from companies regarding their products' security was not reassuring.

"If there is no vulnerability, you don't say anything--that's fine," he said. "But if there is even a small vulnerability, you should advise your customers and fix it."