Just a week after Microsoft celebrated the 1-year anniversary of its Trustworthy Computing initiative, one of the most virulent computer worms of all time hit the company. The so-called SQL Slammer worm, which is credited with bringing vast portions of the Internet to its knees over the weekend, targets a known Microsoft SQL Server 2000 security vulnerability that the company first fixed last summer. Although administrators might have been lax in applying the fixes, various groups are now complaining that Microsoft's fixes were difficult to install--so difficult, in fact, that the company didn't patch many of its own servers, which the worm subsequently infected.
"We, like the rest of the industry, struggle to get 100 percent compliance with our patch management," said Microsoft spokesperson Rick Miller, who acknowledged that the worm affected many of the company's servers, including much of the MSN infrastructure, which was widely unavailable over the weekend. "We recognize--now more than ever--that this is something we need to work on. And, like the rest of the industry, we're working to fix it."
Ironically, in a letter to customers last week, Microsoft Chairman and Chief Software Architect Bill Gates discussed Trustworthy Computing and the progress his company has made during the past year. He ended the letter with a list of things customers can do to help, and the first item was "stay up-to-date on patches." That advice is fairly obvious and something the company might take to heart itself.
Since SQL Slammer hit, however, Microsoft has made it easier to patch SQL Server by using a standard executable update that doesn't require administrators to copy files manually, as earlier patches did. You can find the new SQL Slammer patch on Microsoft's Web site, or you can simply install SQL Server 2000 Service Pack 3 (SP3), which also patches the vulnerability.