Slammer: To patch or not to patch?

The Slammer worm, which exploits a flaw in Microsoft's popular SQL Server database, caused a massive slowdown in Internet traffic...

The Slammer worm, which exploits a flaw in Microsoft's popular SQL Server database, caused a massive slowdown in Internet traffic during the weekend according to monitoring firm Keynote Systems.

The Keynote Business-40 Index, which measures access to 40 major US websites from around the world, found that at the height of the worm's impact, the sites monitored were, on average, running at half speed.

Slammer could have been stopped in its tracks by either configuring firewalls to prevent access to the database, or by updating SQL Server with the appropriate Microsoft patch.

Niall Mansfield, author of the authoritative book Practical TCP/IP, said, "In a properly configured firewall, network traffic should be barred unless there is an explicit rule."

Such a setup is called the "default deny" rule and it could have prevented the Slammer denial-of-service attack.

Mansfield said this does not happen because some firewalls are so complex that administrators are unable to see what is going on.

A security patch has been available from Microsoft since July 2002 but many users have not installed it.

Microsoft chairman Bill Gates last week told users one of the keys to computer security was to "Stay up to date on patches". ( Gates e-mail celebrates Trustworthy Computing >>)

In the immediate aftermath of the Slammer attack some experts echoed Gates and criticised system administrators for not applying patches when they were available.

One system administrator quoted on the popular NTBugTraq security site, said, "This patch was very different from what administrators are used to dealing with. Microsoft veered significantly from its normal patch methodology."

"When you ask administrators to risk manually patching a machine or wait a few months until the next Service Pack, many administrators will wait."

Tony Lock, senior analyst at Bloor Research, explained some of this reluctance to apply patches immediately.

Patching SQL Server is difficult and users need to allocate time to test the patch, he said. Finding a time slot when the database was not being used could prove extremely difficult.

"In a production environment there is not often a window of opportunity to update a patch."

IT departments wrestle with Slammer worm >>

Read more on IT architecture