Microsoft Corp. itself was exposed to the virus-like attack that crippled global Internet activity last weekend because it failed to install crucial fixes to its own software on many Microsoft computer servers.
Although Microsoft contends its failure to keep up with its own updates did not cause major problems, security experts said it points to a larger issue: Microsoft’s process for keeping customers’ software secure is hugely flawed.
The virus-like attack, called “slammer” or “sapphire,” exploited a known flaw in Microsoft’s “SQL Server 2000” database software, used by businesses, government agencies, universities and others around the world. Microsoft had issued a patch for the flaw in July, but many—including some units within Microsoft—had failed to install it.
Update on the “did not cause major problems” claim:
“All apps and services are potentially affected and performance is sporadic at best,” Mike Carlson, director of data center operations for Microsoft’s Information Technology Group, stated in an e-mail sent at 8:04 a.m. PST Saturday to other members of Microsoft’s operations groups. “The network is essentially flooded with traffic, making it difficult to gather details concerning the impact.”
In the case of SQL Slammer, it seemed that Microsoft had done it right. The company had informed customers six months earlier about a flaw and included patches in both a roll-up patch—a software update that includes all the latest patches—and in the company’s latest service pack for Microsoft SQL Server 2000. But even within Microsoft, something went wrong.
“At approximately, 10:00 p.m. (PST, Friday), traffic on the corporate network jumped dramatically, eventually bringing all services to a crawl,” stated Carlson’s memo. “The root cause appears at this time to be a virus attacking SQL.”
On Saturday, the Microsoft’s Windows XP Activation service was down, not because the servers were vulnerable, but because the company’s internal network was inundated with junk data, Rick Devenuti, the chief information officer for the software giant, said in an interview Monday.