Open source database software maker MySQL warned its users to tighten security Thursday, after news broke about a new Internet
worm that targets the popular relational database, according to a company executive. The company is looking at making bigger
changes to harden its product against future attacks, the executive said.
After spending much of Thursday reaching out to its users about how to protect themselves from the new threat, a version of
the Forbot network worm, the company said it is working on bigger security fixes, including automatic update features that
can push out software changes, and improvements to the default installation that will make the product harder to crack in
the future, said Zack Urlocker, vice president of marketing at MySQL.
The actions come one day after a new version of the Forbot network worm, Forbot-DY, began infecting Microsoft Windows machines
running MySQL. The worm, which also has Trojan horse features, infects machines by breaking into the default administrator
(or "root") account password. With access to the MySQL root account, Forbot was programmed to use a recently-discovered exploit
called the MySQL UDF Dynamic Library Exploit to upload and install malicious code to the infected system.
At the height of the outbreak Thursday, more than 8,000 MySQL machines were believed to be infected with Forbot, according
to Johannes Ullrich at The SANS Institute's Internet Storm Center.
The worm took advantage of people who left their MySQL server unsecured, but also benefitted from features designed to make
MySQL easy to install and use, said Urlocker. "In the past, our goal was to have MySQL up and running 15 minutes," he said.
For example, the default root account password is blank. MySQL also allows users to log in as root remotely by default, a
feature that was integral to Forbot-DY's spread, according to security experts.
In the wake of the worm, MySQL is revaluating whether security should trump convenience in future releases, Urlocker said.
"If we need stricter passwords or services out of the box to help people monitor (security) issues, we'll look at that," Urlocker
said.
The company has been working on an automatic software update feature that could push out patches for security vulnerabilities
for around nine months. MySQL may also shut off the remote access feature by default, rather than have it enabled, he said.
However, Urlocker defended the company's stance on security, saying that MySQL added a feature in its recent 4.1 software
release that prompts users to change the default root password during installation, he said.
For now, however, MySQL is still trying to spread the word to its customers about the new worm and get them to take precautions
to protect themselves, such as changing the root account password, installing a firewall and preventing remote access to MySQL
servers.
Companies should consider inventorying their network to make sure they aren't using vulnerable machines, even if they don't
believe they are running MySQL, said Eric Gonzales, co-founder of Application Security Inc. of New York. "We've seen MySQL
used as the backend on lots of applications, including backup and trading systems. And people don't really know its there,"
he said.
The powerful database software is free to download, which makes it more likely that employees may have loaded a copy on their
desktop or laptop computers to tinker with, and then forgotten about it, Gonzales said. In addition to inventorying all MySQL
installations, administrators should monitor their IDS (intrusion detection systems) for suspect MySQL traffic on port 3306,
he said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
