According to incidents.org, a new worm that infects MS SQL servers
is currently spreading fast, and it's being used to lauch distributed
denial-of-service attacks against various sites: see
http://www.incidents.org/diary/diary.php?id=82
The security flaw that the worm exploits is not, um, deep. It seems
that Microsoft ships MS SQL with a default system-admin account having
the fixed name "sa" and no password. If that hasn't been changed,
anyone can do anything they want using the server machine.
While Microsoft's carelessness about security is (justly) infamous,
I'm not as inclined to say "Redmond is a bunch of bozos" as "there
but for the grace of God go we". This is a heads-up that security
issues *do* matter, even for databases.
regards, tom lane
