Microsoft Hustles to Disinfect SQL Server

By Lisa Vaas  |  Posted 2003-02-17 Print this article Print

Updates tools that help users determine if they're vulnerable to SQL slammer.

Microsoft Corp. continues to scramble to plug vulnerabilities in its SQL Server database that were exploited by the SQL Slammer worm last month.

The company early this month released new versions of tools designed to help SQL Server users figure out whether they are at risk. In addition, the company planned to put out a third version of the tools as early as late last week.

The three tools, which are available on Microsofts Web site, are: SQL Scan, SQL Check and SQL Critical Update. The first tool scans individual computers, Windows domains or IP address ranges for instances of SQL Server 2000 and MSDE (Microsoft Desktop Engine) 2000, identifying instances that may be vulnerable to Slammer. SQL Scan runs on Windows NT 4.0, Windows 2000 or Windows XP.

SQL Check also scans computers for instances of SQL Server 2000 and MSDE 2000, stopping and disabling SQL Server and SQL Agent services, but on Windows 98 and Windows ME, it does not stop vulnerable instances. SQL Critical Update scans computers for vulnerable instances and automatically updates affected files. It doesnt run on Windows 95, Windows 98 or Windows ME.

The most important upgrade to all three tools is that interfaces will give users a clearer idea of whats going on, according to SQL Server Product Manager Sheryl Tullis. With the earlier version, it was "a little difficult" to tell when the patch was done installing, Tullis said.

In addition, Microsoft clarified error message language so that users will have less confusing instructions to follow, said Tullis, in Redmond, Wash. Microsoft also plans to address Windows 98 and ME in Versions 2 and 3 of the tools.

Version 3 was to be geared to small-business users and those who have MSDE on their systems but arent database administrators and therefore dont know how to install patches, Tullis said.

This attempt to address the laborious installation process of SQL Server patches is the latest of a few similar moves for Microsoft, which addressed the problem by releasing an automatic installation version of the patch the weekend in January when Slammer first struck. Version 3 of the tools will have an interface customized for non-DBAs lack of experience with patch installation, Tullis said.

Users of the tools first versions said they welcome Microsofts tweaking of the interfaces.

"It will help us, definitely," said Don Medal, network engineer at the University of Minnesota at Crookstons Computing Services department. "Any improvements there would be helpful. I wouldnt say [the tools first versions] were done with the interface getting a high priority."

Microsoft last July issued a patch for the vulnerabilities Slammer exploited. It rolled up that patch in SQL Server 2000 Service Pack 3, which was released days before Slammer struck.

Because of the original patchs installation difficulties, many time-strapped DBAs didnt bother with it. The primary reason that Medals staff didnt load the patch was the laborious installation, he said. "My sense is that its only with Service Pack 3 that it became easy to install," Medal said.

Microsoft has long-term plans to address Slammer. They include rereleasing SQL Server 2000 packaged with Service Pack 3 already installed.

"We dont want any confusion about where we want customers to be—current users or future users," Tullis said. "Anybody who buys SQL Server 2000 will have SP3 right out of the box."

It will take "several months" before the duo are packaged, Tullis said.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel