A powerful internet attack—dubbed SQL Slammer—that hit computers worldwide Jan. 25 has security experts worried that too many system managers are only fixing problems as they occur, rather than keeping their defenses up to date. The problem underscores the need for school technology managers to monitor security bulletins carefully and download the latest software patches as soon as they are made available.

The worm—which crippled tens of thousands of computers worldwide, congested the network for countless others, and even disabled Bank of America cash machines—took advantage of a vulnerability in some Microsoft Corp. software that had been discovered in July.

Microsoft had made software updates available to patch the vulnerability in its SQL Server 2000 software—used mostly by businesses, governments, and school systems—but many system administrators had yet to install them when the attack hit Jan. 25.

Some of those administrators were at Microsoft itself, the company acknowledged in a report in the New York Times. Some computers at the software giant were affected because appropriate Microsoft patches had not yet been installed. That irony underscored how hard it can be to ensure that all security measures are in place and up to date. But Microsoft’s internal problems were cold comfort to those affected by SQL Slammer.

“There was a lot that could have been done between July and now,” said Howard A. Schmidt, President Bush’s No. 2 cybersecurity adviser. “We make sure we have air in our tires and brakes get checked. We also need to make sure we keep computers up to date.”

Network technicians worked furiously in the wake of the attack to repair damage caused by the fast-spreading worm. The problem was declared largely under control Jan. 26, though some experts were worrying about the possibility of lingering infections appearing for days afterward.

As the worm infected one computer, it was programmed to seek other victims by sending out thousands of probes a second, saturating many internet data pipelines.

Unlike most viruses and worms, it spread directly through network connections and did not need eMail as a carrier. Thus, only network administrators who run the servers, not end users, could do anything to remedy the situation. According to Keynote Systems Inc., which measures internet reliability and speed, network congestion increased download times at the largest U.S. web sites by an average of 50 percent, and some sites were completely unavailable at times.

Bruce Schneier, chief technology officer at Counterpane Internet Security, said the attack proves that relying on patches is flawed “not because it’s not effective, but [because] many [systems administrators] don’t do it.”

Two of the previous major outbreaks, Code Red and Nimda, also exploited known problems for which patches were available.

But with more than 4,000 new vulnerabilities reported last year, according to the government-funded CERT Coordination Center at Carnegie Mellon University, system administrators can have trouble keeping up.

Patches also take time to install and could disrupt other systems and applications. Schmidt said many network managers delay installing patches to fully test them first. Russ Cooper, a security analyst at TruSecure Corp., said patches are also complicated, and applying them out of order can undo an earlier fix.

Microsoft spokesman Rick Miller said the company is working with network professionals to develop better tools, including ones that can scan systems automatically for known vulnerabilities.

A larger problem is inadequate information on which patches need to be tested and installed first, said Dan Ingevaldson at the Internet Security Systems’ X-Force research arm. Preventing the next outbreak, security experts say, will mean rethinking security. Favored approaches range from getting vendors to make better software to paying private companies more money to handle the brunt of the work.

Microsoft executives have said they want to make security updates automatic so users could grant permission once and have multiple patches installed over the internet whenever needed. Network managers, however, worry that such automation could inadvertently introduce problems for other applications.

See these related links:

Microsoft SQL Server 2000 patch
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp

CERT Coordination Center
http://www.cert.org