In the wake of the MySpooler worm that spread via weak MySQL passwords on Windows installations last week, database users criticized the open-source database for lax security lockdown on installation, saying that it should be held to the same high standards as traditional security whipping-boy Microsoft Corp.
“Even … Windows forces you to create an admin password when you install,” one developer wrote in an e-mail. “Poor coding, security or thoughtlessness on the part of open-source developers should not be pooh-poohed. Defending [Microsoft] by blaming the user was laughed at by the arrogant technorati who band together behind open source; neither is it good enough for open source to hide behind it now.”
MySpooler was a bot attack launched against default Windows installations of MySQL that infected vulnerable systems at the rate of up to 100 per minute. It was halted after DNS (Domain Name System) service authorities shut off access to IRC servers controlling the worm.
One MySQL user, George Michel, a programmer/analyst for the Yale Center for Medical Informatics at Yale University in New Haven, Conn., said MySQL is getting ever more polished in subsequent versions.
“I guess now they will have to pay more attention to these harmless installs by making sure the application wizard forces them to change roots passwords,” Michel said.
Zack Urlocker, vice president of marketing at MySQL AB, based in Uppsala, Sweden, defended the companys zeal for all things security-related, including the default-password issue, which has actually been addressed in versions 4.1 and later.
“We already put some of this in place with 4.1,” Urlocker said. “You have to go out of your way not to change the root password. The fixes in 4.1 look at these issues, [but] theyre like seatbelts.
“Weve got seatbelts on a car, and we want users to use them. … But [when it comes to] people who dont want them on, should we automatically put them on for them? Thats the balancing issue.”
Locked Down by Default
If it were up to some DBAs (database administrators), the seatbelts would lock tight as soon as a driver sat down. “I call [MySQL] a virus because the default installation makes no attempt to force the installing user to change the default passwords,” said one senior Oracle DBA who requested anonymity.
“All of the commercial databases do, and the other open-source database—my favorite, PostgreSQL—by default locks itself down hard. Do I blame MySQL for this? Yes. They could have the install process force a password change—anything is better than the defaults—and they could by default lock down access, like PostgreSQL does.”
Urlocker said the question of disabling root accounts by default in the upcoming Version 5.0 is “an ongoing discussion.”
“[With] the install program, and other things were looking at, well be very proactive,” he said.
“We take [security] pretty seriously. Theres been a lot of discussion among developers of the balancing act between being easy to use and not letting anything become a potential problem for users.”
Indeed, MySQLs security seriousness was underscored by recent good news: The five Stanford University researchers at source-code analysis firm Coverity Inc. who analyzed the security of the Linux kernel over a period of four years are planning to release an analysis of the security and quality of MySQL code this month.
They found the database to have an “excellent” bug density. For that story, click here.