Slammer Worm – Q&A – 27/01/03

running SQL Server 2000 Evaluation Editions should be kept in a test environment separate from network access.

A. SQL Server 2000 Evaluation Editions are intended for short-term testing and should not be used in production environments. For this reason, the Evaluation Editions do not support security patches and service packs. Any computers running SQL Server 2000 Evaluation Editions should be kept in a test environment separate from network access.

Q: Why were you not patched?
A: In some circumstances it is because developers and testers are purposely not patching systems so we can test various customer configurations and replicate their experiences for testing purposes. But otherwise, we struggle with the same issues as the rest of the industry. Individuals make patch deployment decisions based on a variety of reasons such as time management and oversight. As part of our TWC initiative we have committed to simplifying and streaming the patch management process because at the end of the day we need to make it easier to reach 100% patching.

Q: How can MSFT expect its customers to heed your advice on implementing critical security fixes & updates when MSFT’s own IT group ignores the same advice?
A. To begin, we had a very high percentage of operation systems that were patched. But like the rest of the industry we struggle to reach 100%. However incidents show the importance of having a very good patch management system and process. But at the end of the day, it is still critical that systems are patched.

Q: What happened?
A: At approximately 9:30 PM PST Friday January 24th, Microsoft became aware of an Internet attack causing a dramatic increase in network traffic worldwide. Microsoft immediately began investigating the issue and learned of a virus targeting SQL Server™ 2000 and MSDE 2000 machines not updated with the most current security patches.

Q. How serious is it?
A. This virus does not appear to attack the data of infected systems, but has had a wide impact on performance and availability. Typical home users’ machines, however, are not affected. We are working around the clock to ensure our affected customers are protected.

Q. What is the slammer worm?
A. The “Slammer” worm is an Internet worm targeting un-patched SQL Server 2000 and MSDE 2000 systems resulting in a high volume of network traffic on both the Internet and private internal networks.

Q. Yesterday you put up a statement saying you first heard about this at 12:30 a.m. and the changed it to 9:30 p.m. What happened?
A. It was a miscommunication internally. We meant to say 12:30 EST. We updated this today in order to be factually accurate.

Q. I hear that Microsoft’s network is experiencing significant delays. Is this a result of the worm? What happened?
A. Outside of our data system we have a lot of people testing different things including products and development. As a result, we did have several cases of machines that had not been updated. We are working diligently to update our network as well as assist our customers with any issues they’re facing.

Q . Which systems are impacted?
A. Microsoft SQL Server 2000 and MSDE 2000.

Q. What is MSDE 2000?
A. MSDE 2000 is a database engine that is included with several products from Microsoft and third parties. In most cases MSDE is offered as an alternative for customers who use these applications in situations that do not require the scale of SQL Server 2000. MSDE 2000 is not necessarily installed by default.

The following Microsoft products include MSDE but do not install it by default:

· Access 2002

· ASP.NET Web Matrix Tool

· MSDN® Universal and Enterprise subscriptions

· Office XP Developer

· SQL Server 2000 (Developer, Standard, and Enterprise Editions)

· Visual FoxPro® 7.0/8.0

· Visual Studio® .NET (Architect, Developer, and Professional Editions)

The following products include MSDE and install it by default:

· Application Center 2000

· Biztalk Server 2002 Partner Edition

· Host Integration Server 2000

· Network Appliance Group

· Project Server 2002 and 2003

· Retail Management System 1.0 and 1.1

· Small Business Manager 6.2 and 6.3

· Stress Tools v. 1.2

· Visio 2000 Enterprise Edition

· Visio Enterprise Network Tools (VENT)

· Windows XP Embedded Build Tool

It is important that customers who use products that include MSDE 2000 check to see if they have MSDE installed, and in the case that they do, to verify that their installation has been updated with the latest service pack and security bulletin to eliminate the vulnerability exploited by that Slammer worm. Instructions for checking for MSDE 2000 are at TechNet.

Q: What should impacted customers/users do?
A. We strongly encourage SQL Server 2000 and MSDE 2000 customers who have systems that have not been updated to immediately install the latest patch (MS02-061) or SP 3 to correct this vulnerability. Customers that have any ongoing issues should visit http://www.microsoft.com/security, contact the Microsoft Anti-Virus hot line at 1-866-PCSAFETY, Microsoft product support or your anti-virus vendor. Microsoft’s support for virus-related issues is, of course, always free. Methods for contacting support can be found at http://www.support.microsoft.com.