Microsoft posts 'find Slammer' tools

Offerings still under development

Responding to the rapid spread of the Slammer worm through a software vulnerability in its SQL Server 2000 database product, Microsoft posted prerelease versions of a number of utilities that can ferret out systems that are susceptible to Slammer.

The tools, which were posted to Microsoft's Web site on Jan. 29, include:

- SQL Scan, which can scan a computer, network domain or range of IP addresses and identify instances of SQL Server 2000 or the Microsoft SQL Server Desktop Engine (MSDE) 2000 that are vulnerable to Slammer.

- SQL Check, which can scan an individual computer running most flavors of the Windows operating system for instances of SQL Server 2000 and MSDE 2000 that are vulnerable to Slammer. For later versions of Windows, such as NT 4.0, Windows 2000 and Windows XP, SQL Check can also disable the vulnerable services.

-SQL Critical Update, which can scan a computer running Windows NT 4.0, Windows 2000 and Windows XP, identify vulnerable instances of SQL Server 2000 and MSDE 2000 and automatically patch the vulnerable files, removing the threat posed by Slammer.

The tools were provided "as is" by Microsoft and all are "under continuing development," according to information posted on the Redmond, Washington , company's Web site. In addition, some of the tools, such as SQL Scan and SQL Critical Update, are not supported by all of Microsoft's current operating systems.

While Microsoft's tools will be welcome news for network administrators -- even in a prerelease state -- they are not the first such tools on the market.

U.K.-based computer security company Next Generation Security Software (NGSS) updated its scanning tool, Typhon II, in July to test for the Slammer vulnerability, according to David Litchfield, co-founder of NGSS and the person who first identified the SQL Slammer vulnerability.

Unfortunately, many SQL Server administrators are slow to respond to patch known vulnerabilities until after a new worm or virus that exploits them is already circulating, according to Litchfield.

"People buy Microsoft products and throw them on their network. These people are not informed about security or don't think about it. So it's only really when things are reported in the popular press that people take notice," Litchfield said.

While the new Microsoft tools may help administrators patch for Slammer, there are other known vulnerabilities in SQL Server and other Microsoft products that, like Slammer, enable attackers to take control of critical systems without needing to supply login or password information, according to Litchfield.

Administrators should be searching their network for those vulnerabilities as well if they don't want to fall victim to the next Slammer-like threat, Litchfield said.

As the world's largest software maker, Microsoft has come under scrutiny for security vulnerabilities in its widely used products.

The recent Slammer worm took advantage of one such security hole and the ubiquity of Microsoft's SQL Server database software to become the fastest spreading computer virus ever, according to a study conducted by the Cooperative Association for Internet Data Analysis (CAIDA) along with other organizations.

According to that study, the number of machines infected with Slammer doubled roughly every 8.5 seconds in the first minutes of the outbreak. This is more than 250 times faster than Code Red, which hit in mid-2001 and had a doubling time of 37 minutes, according to the report.

Copyright © 2003 IDG Communications, Inc.