Following the virus and worm devastation wrought by Blaster and SoBig this past week, Microsoft Corp. on Friday admitted that it has finally bitten the bullet and committed to automatic security patch updates for its SQL Server database.
Work on automatic security patching began immediately after Slammer struck in late January, bringing the Internet to its knees as it generated billions of attacks on SQL Server installations, Group Product Manager Tom Rizzo told eWEEK. Work on the automatic security patching is ongoing, with no end date yet in sight, he said.
Under consideration is an agent that will act in a similar manner to that of the bubble that pops up in Windows XP systems to alert users when updates are available. This agent contains links to a site that lists available patches for given systems. The site gives users the opportunity to pick and choose which patches they want to install at a given time.
If Microsoft decides to integrate an agent, it would be available in the upcoming update of SQL Server 2000, code-named Yukon. It would also work with SQL Server 2000 and possibly with SQL Server 7.0, Rizzo said.
The reason the agent is not a sure thing is because SQL Server is a server as opposed to a desktop client. This means that a user sitting in front of a monitor isnt a given, Rizzo pointed out. “There may be no one logged in to see that little window pop up, in a lights-out environment,” he said.
If Microsoft decides against installing an automatic update agent in SQL Server, it will still create a Windows update site and alert users to necessary patches via e-mail blasts.
The automatic update features are only one action Microsoft is taking in response to customer requests for more help with patch management following Slammer. “After Slammer hit our customer base, we wanted to make sure they were protected in a richer way,” said Rizzo, in Redmond, Wash. “We talked to all our major customers and said Hey, what can we do better to protect you in the future? We had the patch beforehand, and we want to know why you didnt deploy it. How can we help you with patch management?”
Resoundingly, customers responded that they wanted to be pointed to a Windows update site, Rizzo said. Still, some users think automatic updating is a terrible idea. Thats because, although users arent forced to install the patches by Microsofts planned feature updates—theyre merely informed that patches are available and can install them if they so choose—administrators fear that users would, lemming-like, click to install the patches en masse when they see theyre available.
Steve Foote, a consultant at Enswers Inc., in Cambridge, Mass., said that both bandwidth and authentication concerns would make him question the practice. “The concept opens up a can of worms,” he said. “You want to make sure the administrator is in control of when and where the security patches are downloaded. … You dont want anybody spoofing the URL to get you to pick up bogus patches,” he said, nor do you want an onslaught of end users all downloading patches simultaneously and clogging up bandwidth.
In response to Microsofts question of how the company should help in patch management, customers also asked for more and better documentation. In response, Microsoft has put out a number of white papers and other documentation telling customers the best way to secure their assets, in a program called PAG (Proscriptive Architecture Guidance).
Also, Microsoft has been working on educating the development community, releasing books and sample code to try to ensure that applications dont leave security holes such as unnecessarily opened ports.
(Editors Note: This story was updated after its original posting to clarify Footes concerns with the update.)