The cleanup of the Slammer worm is well under way. Its final cost hasn't been computed yet, but people are starting to wonder who is responsible for getting slammed.
The obvious culprit is the author, but what about Microsoft? The patch for the SQL Server vulnerability that paved the way for Slammer was difficult to install. What about the system administrators? They had plenty of time to install the patch and most could have blocked UDP port 1434, which would have prevented infection. Does enterprise management absorb any blame? Companies hear constant pleas for greater investment in preventive security moves, like the application of patches.
Rudy Limeback, a Toronto-based database consultant, said there is plenty of blame to divvy up, but he blames "Microsoft, mainly, because they make it so darned hard for administrators to patch their systems."
Yet Microsoft did release a critical advisory on the vulnerability (along with a patch) six months ago. "In my opinion, the Slammer's progress was completely due to lazy system administrators," said Pat Phelan, lead DBA for a company that serves middle market businesses. "Microsoft had MS02-039 available well over 180 days ago, and if it had been applied, then your machine would not have been affected."
Phelan's company did have a few problems with Slammer on systems using Microsoft SQL Desktop Environment (MSDE), which also has the vulnerability. "Our computer room was patched, so it wasn't vulnerable, but servers in other offices on our WAN and many, many copies of MSDE were affected," he said.
In a recent Web-based poll by antivirus vendor Sophos, 64% of respondents said system administrators were to blame for Slammer spreading. Only 24% blamed Microsoft.
Yet efforts to assign blame may be misguided, said Tim Mullen, CIO and chief software architect for AnchorIS.com, a developer of secure enterprise-based accounting software. "Everybody is to blame. Everyone had a piece in things," Mullen said.
Microsoft? Some have used the fact that Microsoft had some internal problems with the worm infecting its systems as a reason to blame the company for it, Mullen said. But Microsoft is like any other large corporation with thousands of systems. It only takes one being open for a worm to cause problems, Mullen said.
On the other hand, the patch was excessively difficult to install, experts and DBAs said. It required a series of steps that were almost harder than installing SQL Server in the first place, Mullen said. Patching remote systems was also difficult because installing the patch required some copying and pasting of files, he said.
System administrators? Many system administrators, especially at large enterprises (such as Microsoft), don't have the resources to properly manage for such things as the vulnerability, Mullen said. A system administrator may have systems patched and the firewall secured, but all it takes is one vulnerable system to let the worm in. Applications that use MSDE also can be vulnerable to Slammer, adding another complication.
Administrators at smaller companies probably can't blame management so much because they can keep tabs on their systems a little easier, Mullen said. "At the end of the day, it's my machine. I am the only person who can patch it," he said.
FOR MORE INFORMATION:
- FEEDBACK: Who is to blame for the outbreak of the Slammer worm?
Send News Writer Edward Hurley your thoughts.