Damming the Database Holes

Eight months after the SQL Slammer worm threw SQL Server database administrators into a tizzy, Microsoft Corp. is committing itself to providing semiautomatic updates that will patch holes in the enterprise database.

The Redmond, Wash., company began working on automatic patching immediately after Slammer struck in late January, according to SQL Server Group Product Manager Tom Rizzo. By exploiting known holes in the database for which patches were available, the worm brought the Internet to its knees as it generated billions of attacks on SQL Server installations.

Microsoft was criticized at the time for making installations of SQL Server patches too difficult or timeconsuming. The effort to smooth out the patching process is ongoing, with no end date in sight, Rizzo said.

Under consideration is an agent that will act in a similar manner to that of the bubble that pops up in Windows systems to alert users when updates are available. This agent contains links to a site that lists available patches for specific systems and gives users the opportunity to choose which patches they want to install.

If Microsoft decides to integrate such an agent, it would be available in the upcoming update of SQL Server, code-named Yukon. It would also work with SQL Server 2000 and possibly with SQL Server 7.0, Rizzo said.

The agent is not a guaranteed fix, Rizzo pointed out. Because SQL Server is a server as opposed to a desktop client, there might not always be a user sitting in front of a monitor. “There may be no one logged in to see that little window pop up in a lights-out environment,” he said.

/zimages/1/26680.gifRead about the latestSQL Server worm.

The need for Microsoft to help users with patch management was reinforced by the Blaster worm last month that exploited Windows holes for which patches existed. Recently reported SQL Server worms such as Voyager Alpha Force also lie in wait to trip up those who dont follow best security practices.

User reaction to Microsofts automatic update efforts is mixed. Steve Foote, a consultant with Enswers Inc., in Cambridge, Mass., said users could flood Microsoft Web sites by updating en masse, and the service could be spoofed. “With security patches, you want a level of authentication between the agent doing the work and the site doing the downloading,” Foote said. “You dont want anybody spoofing the URL to get you to pick up bogus patches.”

The arguments didnt hold water with all users. Aaron Lipman, chief technology officer for Entertainment Earth Inc., in North Hollywood, Calif., said users dont all open their e-mail at the same time and wouldnt click on “update” at the same time, either. “In general, its a good idea,” Lipman said, given the fact that DBAs have to be far more proactive in staying up-to-date with SQL Server than with Windows.

Discuss this in the eWeek forum.

/zimages/1/26680.gif