• United States

Bug Alert: More Slammer info

Jan 30, 20037 mins
NetworkingPatch Management SoftwareSecurity

* Patches from SCO, Conectiva, others * Beware viruses that attempt to allow access to an infected machine via IRC * Symantec: Security attacks getting more aggressive, and other interesting reading

A few follow-up items surrounding the SQL Slammer worm that brought some Internet traffic and commerce to a screeching halt last weekend:

* Reader Scott Morizot took some exception with my (and the general media’s) assertions that lazy administrators should be blamed for not applying a patch that’s been available from Microsoft for the past 6 months. Morizot makes some good points in saying that some MSDE installations include SQL server code and could be infected by the virus, but many users may not know such code exists in their systems because it is not a full SQL Server implementation.  An excellent point.

While at ComNet, we heard from a number of people that say some of these patches have not been installed because of the testing that’s required before implementing them on production systems. I don’t buy this one so much. Obviously, the time it takes to test these patches is well worth it if you can protect against this weekend’s mess.

* Speaking of ComNet, my colleague Denise Dubie and I took to the show floor to gather reaction to the SQL Slammer worm from attendees:

* Keynote Systems, which monitors Internet performance, is claiming the SQL Slammer event “affected more users for a longer duration than any previous performance event.”  Keynote’s measurements show of the 40 major U.S. Web sites, 50% of them were slowed between midnight and 1 p.m. last Saturday, with availability dropping to 10%.

SQL Slammer seems to have outpaced the 2001 Baltimore Tunnel Fire, Code Red, Nimda and the February 2000 denial-of-service attacks against eBay, Yahoo, CNN and others.

Fortunately, this happened on a Saturday morning and not a weekday.

* Finally, a couple of companies have released advisories for products that use Microsoft’s SQL Server and could be affected if the proper patches are not applied:



Today’s bug patches and security alerts:

Major flaws in older versions of MIT Kerberos

Versions of the MIT Kerberos 5 prior to and including 1.2.5 contain multiple security vulnerabilities. The flaws could be exploited to crash the affected KDC or potentially gain access. Users should upgrade to Version 1.2.7. For more, go to:


Additional MySQL patches available

As we’ve reported with other flavors of Linux, two vulnerabilities have been found in the popular MySQL database application. One flaw could be exploited to crash the affected machine, the other to bypass a password check and execute arbitrary code on the machine. For more, go to:




Debian fixes dhcp3 package

A flaw in Debian’s implementation of DHCP3 could lead to a “storm of packets” being sent from the client to a server, resulting in a potential denial of service. For more, go to:

Debian releases new kdegames

A flaw in the kdegames for Debian could be exploited to run arbitrary commands on the affected system. A local or remote attacker could exploit this flaw. For more, go to:

Debian patches noffle

A flaw in noffle, an offline news server, could potentially be exploited by a remote user to run arbitrary commands on the affected machine with the privliges of noffle, usually “news”. For more, go to:

Tomcat patch for Debian users available

Three major flaws have been found in the Tomcat application server for Debian. The flaws could be exploited to get a directory listing, read XML data or use a cross-scripting attack to execute arbitrary commands on affected systems. For more, go to:


Updated fetchmail packages available

A couple of flaws have been found in fetchmail. These flaws could be exploited by a remote user to run arbitrary code on the affected machine. For more, go to:


Mandrake Linux:


SCO releases CUPS patch

As we’ve recently reported, a number of flaws have been found in Cups, a popular printing service for Unix and Linux. The flaws could be exploited to gain remote and root access to the affected system. For more, go to:


Conectiva patches libpng

A buffer overflow flaw in PNG image handling software libpng could be exploited to run arbitrary code on the affected machine. An attacker would have to craft a PNG file to trigger the overflow. For more, go to:


OpenPKG patches wget

A directory traversal flaw in wget could allow a malicious user to write files outside the download directory of the affected machine. For more, go to:


Today’s roundup of virus alerts:

Troj/SadHound-A – A Trojan horse that drops a love note on the infected machine as well as a backdoor that is accessible to an attacker via IRC. (Sophos)

W32/NetSpree-A – Another virus that attempts to allow access to the infected machine via IRC. This virus drops a program for launching distributed denial-of-service attacks against other targets. The virus also spreads by trying to infect other machines on the same LAN. (Sophos)


From the interesting reading department:

Microsoft slammed by its own product’s vulnerability

Microsoft fell victim to a software vulnerability in one of its own products on Saturday, when the W32.Slammer worm infested host machines on the Redmond, Wash., company’s network, flooding that network with traffic.  IDG News Service, 01/28/03.

See also, ComNet attendees react to SQL Slammer:

Internet Worm Unearths New Holes

The computer bug that ravaged systems throughout the world over the weekend showed how the increasing use of the Internet by businesses, banks and local governments has created vulnerabilities where few ever suspected them. Washington Post, 01/29/03.

FAA: Slammer didn’t hurt us, but other attacks coming

The Federal Aviation Administration survived last weekend’s Slammer worm attack with only one administrative server compromised, and the agency that controls commercial air traffic in the U.S. is taking a multipronged attack to network security, said Daniel Mehan, assistant administrator for information services and chief information officer at the FAA. IDG News Service, 01/28/03.

SAP offers new homeland security product

The product, Security Resource Management, is designed to support processes necessary for homeland security, including border security, emergency preparedness and response, countermeasures, information analysis and external coordination, the Walldorf, Germany, software company said Wednesday in a statement. IDG News Service, 01/29/03.

Symantec: Security attacks getting more aggressive

The number of security attacks on the Internet seem to be leveling off after a rocket-like rise during the last decade, but the attacks still happening are more sophisticated, said the president and COO of security vendor Symantec. IDG News Service, 01/29/03.

Symantec links Host IDS into ManHunt net monitor

Symantec has expanded its ManHunt network intrusion detection system (IDS) by adding a software agent to monitor and analyze events detected by its host-based intrusion detection software, Host IDS 4.0. IDG News Service, 01/28/03.


Archives online:

If you’re like me and fall behind on e-mail reading quite a bit, our online archive is here to help: