Microsoft slammed by its own vulnerability

Microsoft fell victim to a vulnerability in one of its own products last weekend, when the W32.Slammer worm infested host...

Microsoft fell victim to a vulnerability in one of its own products last weekend, when the W32.Slammer worm infested host machines and flooded its network.

A company spokesman said the Slammer worm penetrated Microsoft's network defences and infected a number of SQL Server databases and desktop machines.

Most of the vulnerable machines were in the company's Redmond campus and concentrated in an area of Microsoft's network used by SQL Server developers.

In some cases, the vulnerable machines were purposely left unpatched to try to recreate specific environments for testing purposes, the spokesman said. A "high percentage" of the SQL Server hosts used by customers were properly patched and unaffected by Slammer.

Slammer temporarily interrupted Microsoft's Windows XP activation service, which was not vulnerable. Instead, a flood of Slammer-related traffic brought down the service from hosts on the same subnet.

"It's not surprising when you consider that most people working at Microsoft are [software] developers and that a lot of development software installs MSDE [Microsoft SQL Desktop Engine]," said David Litchfield, managing director of Next Generation Security Software and the person who discovered the SQL Server vulnerability exploited by Slammer.

Microsoft confirmed that infections linked to the MSDE component were a part of the company's problem, but declined to say how many servers and desktops were affected or how much of the problem stemmed from desktops with MSDE installed.

Many have taken Microsoft's inability to patch SQL Servers on its own network properly as proof that the exisiting system of releasing software patches is flawed.

"We struggle with the same problems as the rest of the industry," the spokesman said. "Individuals make patch management decisions for reasons of their own. Sometimes it's a time management issue and sometimes it's oversight - particular developers not doing what they needed to do."

In light of the Slammer outbreak, Microsoft will be re-evaluating its internal patch management policies. Part of its Trustworthy Computing initiative will also set to cover streamlining the patch management process.

Changes in the existing system for deploying software patches could introduce as many problems as they solve.

"If I'm running an emergency system, I don't want my computer calling Microsoft and downloading a patch that breaks something. That could end up killing people," Litchfield said.

For the foreseeable future, everyone - including Microsoft - will have to get by with the system of manually downloading, testing and installing software patches.

Read more on Business applications