An insight into the problems faced by Microsoft indealing with the Slammer (aka Sapphire) worm is revealed in internal company memos leaked to El Reg. <\/p>\n
The email memos from Microsoft security team (18 in all of which we publish only the first [most illuminating] four) reveal a giant corporation struggling to contain the effects of a virulent worm, which knocked many of its Internet services offline. <\/p>\n
Those who blame system admins for the spread of the worm might do well to ponder on the fact even Microsoft had not applied its fix which, it’s now clear, was far from easy to apply. <\/p>\n
From: Mike Carlson (ITG)
\nSent: Saturday, January 25, 2003 8:04 AM
\nTo: EIS Data Center Clients; uDRM Operations Team; Gregory Wood’s Direct
\nReports; IR\/ID
\nCc: HUSK:Corporate Data Center Release Management; ITG DR Command Team; ITG DR Functional Command Team; Randy Coggan; Jim DuBois Direct Reports; Steven Rees <\/p>\n
< Microsoft Confidential - Do Not Forward! > <\/p>\n
Event Description: <\/p>\n
At approx 10:00 pm traffic on the corporate network jumped dramatically, eventually bringing nearly all services to a crawl. The root cause appears at this time to be a virus attacking SQL servers on UDP port 1434. The problem is not confined to MS only, as there are reports of widespread impact at other companies and across the Internet. <\/p>\n
Start Date\/Time: <\/p>\n
Approximately 10:00 PM PST, Friday 1\/24\/2003. <\/p>\n
Impact: <\/p>\n
All apps and services are potentially affected and performance is sporadic as best. The network is essentially flooded with traffic, making it difficult to gather details concerning the impact. <\/p>\n
Status Update: <\/p>\n
Confirmed SQL SP3 does protect the system from the virus, but believe we may have a hot fix that could be remotely applied to SP2 as well. All systems owners should make plans to update their systems asap. <\/p>\n
ETA: None. <\/p>\n
Action Required: <\/p>\n
Owners should be planning to upgrade their systems asap. <\/p>\n
Next Update: 0900 <\/p>\n
From: Mike DeGooyer
\nSent: Saturday, January 25, 2003 9:15 AM
\nTo: EIS Data Center Clients; Gregory Wood’s Direct Reports; IR\/ID
\nCc: Broadband Networking All; Corporate Data Center Release Management; ITG
\nDR Command Team; ITG DR Functional Command Team; Randy Coggan; Jim DuBois Direct Reports; Steven Rees <\/p>\n
Microsoft Confidential <\/p>\n
Do Not Forward <\/p>\n
Corporate Network Outage: 1-24-03 <\/p>\n
Update: Network traffic is still affected and inhibiting traffic. Effected resources have been identified and operations is isolating network traffic to apply the fix upon completion. <\/p>\n
Next Update: 1000 PST or when implementation steps are ready. <\/p>\n
Action Required: <\/p>\n
None at this time. Effected resources owners will be contacted. <\/p>\n
Description: <\/p>\n
At approximately 10:00pm PST traffic on the corporate network increased dramatically due to a virus attack directed at SQL Server. The interruption was not directed at Microsoft Resources. <\/p>\n
Event Summary: <\/p>\n
8:00am Specific file versions and server impact is being assessed. <\/p>\n
7:00am Engineering testing application of hot fix that could be remotely applied to SP2. <\/p>\n
6:00am Engineering confirmed SQL SP3 protects systems. Preparing to engage effected server owners. <\/p>\n
5:00am Identifying that patch that will fully protect the systems. <\/p>\n
4:00am Virus behavior was identified. Working on resolution process. <\/p>\n
3:00am SQL Dev and engineering are engaged isolating the issue. <\/p>\n
2:00am Engineering engaged to isolate the issue and behavior patterns. <\/p>\n
1:16am Notification sent clients. <\/p>\n
____________ <\/p>\n
Mike DeGooyer
\nEIS Release Management- BGIT <\/p>\n
[contact details deleted] <\/p>\n
From: Mike DeGooyer
\nSent: Saturday, January 25, 2003 11:23 AM
\nTo: Mike DeGooyer; EIS Data Center Clients; Gregory Wood’s Direct Reports;
\nIR\/ID
\nCc: Broadband Networking All; Corporate Data Center Release Management; ITG
\nDR Command Team; ITG DR Functional Command Team; Randy Coggan; Jim DuBois Direct Reports; Steven Rees; uDRM Operations (MSE); Corporate Data Center Release Management <\/p>\n
Update: HELP NEEDED: If you have servers that are nonessential, please shut down the MSSQLSERVER service as well as SQL Agent (so SQL doesn’t restart) so that we can eliminate nonessential noise\/traffic on the network. Your urgent assistance with this will be very helpful. <\/p>\n
SQL Development and Engineering are engaged. Network traffic is still affected and inhibiting traffic. Operations are isolating network traffic to apply the fix upon completion. <\/p>\n
Next Update: 1200 PST or when implementation steps are ready. <\/p>\n
____________ <\/p>\n
Mike DeGooyer <\/p>\n
EIS Release Management- BGIT <\/p>\n
[contact details deleted] <\/p>\n
From: Chad Lewis
\nSent: Saturday, January 25, 2003 12:35 PM
\nTo: EIS Data Center Clients; Gregory Wood’s Direct Reports; IR\/ID; ITG DR
\nCommand Team; ITG DR Functional Command Team
\nCc: Broadband Networking All; Corporate Data Center Release Management;
\nRandy Coggan; Jim DuBois Direct Reports; Steven Rees; uDRM Operations
\n(MSE); Phil Nguyen (ITG); Mike DeGooyer; Building 11 MCSS Members; TK MCSS
\nStaff; Jim Pauley; Global Networks Operations Center; Steven Rees; Paul
\nOlson; Peter Tutak; MSN IA Core <\/p>\n
**Microsoft Confidential – Do Not Forward!** <\/p>\n
Status Update: <\/p>\n
If you have SQL servers that are nonessential, please shut down the MSSQLSERVER service as well as SQL Agent (so SQL does not restart) so that we can eliminate nonessential noise\/traffic on the network. Your urgent assistance is required. <\/p>\n
Within the next 60 minutes, the 039 SQL patch will be scripted for deployment to all SQL servers outside the data center to reduce traffic volume on the network. For details on 039, visit
\n[url=http:\/\/www.microsoft.com\/technet\/treeview\/default.asp?url=\/technet\/security\/bulletin\/MS02-039.asp]www.microsoft.com\/technet\/treeview\/default.asp?url=\/technet\/security\/bulletin\/MS02-039.asp[\/url]
\nImpact will be a cycling of the SQL service. <\/p>\n
We are investigating the best method of addressing the data center space and will communicate during next update. <\/p>\n
Next update 1:30pm, or as needed. <\/p>\n
Chad Lewis <\/p>\n
EIS Release Management <\/p>\n
by john.leyden from [url=]http:\/\/www.theregister.co.uk\/content\/56\/29073.html[\/url]<\/p>\n","protected":false},"excerpt":{"rendered":"
Microsoft’s policy of relying on software patches to fix major security flaws was questioned Monday
\nafter a series of internal e-mails revealed that the software giant’s own network wasn’t immune from a worm that struck the Internet last weekend.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6],"tags":[],"class_list":["post-4","post","type-post","status-publish","format-standard","hentry","category-m"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-4","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/4","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=4"}],"version-history":[{"count":0,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/4\/revisions"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=4"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=4"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=4"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}