SQL Slammer lesson: A Computer Weekly Downtime Upload podcast

On January 25^th 2003, the Slammer worm exploited a vulnerability in SQL Server 2000, to execute a buffer overflow attack, affecting customers of Microsoft’s relational database management system.

What is interesting about the so-called SQL Slammer attack, is that the vulnerability in SQL Server had been publicly disclosed at the Black Hat 2022 conference by Next Generation Security Software’s co-founder, David Litchfield, who discussed how SQL Server could be made to crash by sending a single byte of data to the open UDP port 1434. It is something that raised alarm bells at Microsoft in how it should respond to security incidents.

Tom Gallagher is head of the Microsoft Security Response Center (MSRC), which is responsible for issuing all security updates, including Patch Tuesday updates and CVEs (common vulnerability expose). He says: “One of the things that came out of SQL Slammer is rethinking about publishing exploit code.” When is the appropriate time and to what level of detail that should be provided? Today, as Gallagher notes, there is industry-wide adoption of coordinated vulnerability disclosure (CVD). “This allows security researchers to report the security issue privately to the software vendor who then works urgently to fix that issue, and together they disclose the issue to the public.” 

“Transparency has always been a really important thing to me personally, and certainly it’s a big deal to Microsoft and our customers,” he says.

Patching needs to be done in a timely manner to avoid systems being exposed once a vulnerability has been disclosed publically. Any delay offers cybercrimals a easy entry point to target cyberattacks. Gallagher says that Microsoft has focused on driving the right level of urgency to get patches out quickly. “It’s also really important that we provide actionable information to customers,” he says. To help, Microsoft provides a security update guide, which he says, enables Microsoft customers to understand the risks in their environment that the patches resolve. The guide helps organisations to prioritise patching so that they can run compatibility test, where needed, to check if a patch has an adverse effect on production IT systems.

However, Gallagher says: “Our goal is to ship really high-quality patches so that people have trust in the updates that they’re installing. Microsoft spends a lot of energy not just fixing the security issue but making sure that the functional aspects of that update continue to operate as expected so that customers don’t have incompatibility concerns.”

He says Microsoft also collaborates with companies like Adobe, which has aligned its patch update schedules with Microsoft's Patch Tuesday. According to Gallagher, this alignment helps customers plan and manage updates more effectively. He believes there is an opportunity for other major Windows software providers to coordinate patching in a similar way, “There are some other folks in the industry like Adobe who have aligned to that Patch Tuesday update cadence." This enables what Gallagher calls “predictable update cadence”. “From a customer standpoint, you can think and plan about installing security updates on that second Tuesday of the month,” he adds.

But, as Gallagher, points out, managing IT security risks is an on-going effort involving collaboration across the IT security industry. “We often publish some mitigating steps that you can take before you install an update. We also provide detection in Microsoft Defender and partner with major IT security companies so that they’re able to detect and prevent some of these exploits even if you have not yet patched your machine,” he adds.