Security note: MS SQL is current worm vector - Mailing list pgsql-hackers

From Tom Lane
Subject Security note: MS SQL is current worm vector
Date
Msg-id 2898.1006665617@sss.pgh.pa.us
Whole thread Raw
Responses Re: Security note: MS SQL is current worm vector
Re: Security note: MS SQL is current worm vector
List pgsql-hackers
According to incidents.org, a new worm that infects MS SQL servers
is currently spreading fast, and it's being used to lauch distributed
denial-of-service attacks against various sites: see
http://www.incidents.org/diary/diary.php?id=82

The security flaw that the worm exploits is not, um, deep.  It seems
that Microsoft ships MS SQL with a default system-admin account having
the fixed name "sa" and no password.  If that hasn't been changed,
anyone can do anything they want using the server machine.

While Microsoft's carelessness about security is (justly) infamous,
I'm not as inclined to say "Redmond is a bunch of bozos" as "there
but for the grace of God go we".  This is a heads-up that security
issues *do* matter, even for databases.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: anoncvs busted (was Re: v7.2b3 packages rebuilt ...)
Next
From: Lincoln Yeoh
Date:
Subject: Re: Security note: MS SQL is current worm vector