to sound confused that you didn't realize what you did. Yeah, it sounds
condescending in hindsight, but it really wasn't meant to.
No, I do not think it is acceptable behavior, especially in light of our
company's attempts to get more secure. That's why we're changing the default
to require a strong password. As others have stated, that's generally the
way this market has behaved in the past so it really hasn't seemed like a
big deal. With all the worms and viruses hitting us though, that has
changed.
Going back and modifying the released version of the software is a pretty
difficult operation, from what I understand. We have done that for the
Slammer fix, but apparently this hasn't made that bar as you've suggested it
should. It will be done for Yukon, however, so hopefully there is some light
at the end of the tunnel.
Again, I'd like to apologize for my incredibly bad choice of phrasing...
Sincerely,
Stephen Dybing
This posting is provided "AS IS" with no warranties, and confers no rights.
Please reply to the newsgroups only, thanks.
"phil" <anonymous@.discussions.microsoft.com> wrote in message
news:059201c3b933$9a9f55f0$a301280a@.phx.gbl...
Let me say this, anyone who starts a sentence with "Uh,
." means their remarks to be condescending, and so I will
respond to that attitude...
I will gladly accept blame for leaving the front door
open, as you say. Perhaps you can take partial blame for
advertising that I have the type of house that just might
leave the front door open. Or one that has a default
lock that doesn't work.
You actually think its acceptable behavior that a product
installed on an operating system can be set in a default
mode whereas others can use it to launch any process, at
will, to attack one's machine? And so you might
ask, "Well, what could Microsoft have done?". Well I
have just such an answer:
1. It should have replaced SQL Server 2000 will a
revised version including all patches in SP3a, not just
made the patches available and advised customers to
install it.
2. And it should have included a revision making it
impossible to set a blank password.
Yes, call me stupid or nave (as you so implied), but no
more stupid than a manufacturer who set up their
customers for just such a failure, fails to correct it in
an acceptable way, and then tells the customer its his
fault.
I love the arrogance of your response; somehow I would
guess Mr. Balmer or Mr. Gates might find your arrogance
equally amusing.
quote:
>--Original Message--
>Uh, why the vulnerability exists? It exists because you
left the front door
quote:
>open. In the past, it was the default account/password
combination when SQL
quote:
>Server was installed and if your SQL Server is running
under a local
quote:
>administrator account, you just gave anybody who has a
SQL Server client
quote:
>tool complete control over that computer. There was a
worm that hit a while
quote:
>back that simply scanned every machine it could find
looking for SQL Servers
quote:
>with no password on their SA account. The only way to
keep you from shooting
quote:
>yourself in the foot is by disallowing blank SA
passwords. We're doing our
quote:
>best to keep you from doing that in the current
versions, but we cannot
quote:
>remove that ability completely without breaking lots of
existing
quote:
>applications. What we can do is warn you not to allow it
and disable it by
quote:
>default so that you consciously have to allow the
vulnerability to exist. I
quote:
>believe that's what we started doing with SQL Server
2000 service pack 3.
quote:
>--
>I hope this makes sense,
>Stephen Dybing
>This posting is provided "AS IS" with no warranties, and
confers no rights.
quote:thanks, i appreciate your response. apology accepted.
>Please reply to the newsgroups only, thanks.
>"phil b" <g3@.philbeisel.com> wrote in message
>news:017301c3b90a$371e25c0$a401280a@.phx.gbl...
has[QUOTE]
is[QUOTE]
my[QUOTE]
one[QUOTE]
in[QUOTE]
servers[QUOTE]
running[QUOTE]
called[QUOTE]
these[QUOTE]
as[QUOTE]
development[QUOTE]
but[QUOTE]
ran[QUOTE]
the[QUOTE]
MS[QUOTE]
and[QUOTE]
>
>.
>
one question lingers that seems to have been lost in all=20
of this:
can you tell me if a blank password "sa" account, with=20
SP3a installed and otherwise default settings, is known=20
to Microsoft to be able to be hijacked and run a process?=20
in other words, I don't understand what this "feature" is=20
(meaning the ability to launch some process) and whether=20
it is a feature to begin with.
that's really what i wanted to know. the damage is done,=20
i'm in clean up mode, and i decided to write in case i=20
had discovered some new flaw.
(i suppose that's why i took immediate offense, because i=20
was only interested in informing Microsoft of a new=20
potential flaw if it wasn't known already).
thanks,
phil
quote:
>--Original Message--
>OK, let me apologize for sounding condescending. I=20
actually was attempting
quote:
>to sound confused that you didn't realize what you did.=20
Yeah, it sounds
quote:
>condescending in hindsight, but it really wasn't meant=20
to.
quote:
>No, I do not think it is acceptable behavior, especially=20
in light of our
quote:
>company's attempts to get more secure. That's why we're=20
changing the default
quote:
>to require a strong password. As others have stated,=20
that's generally the
quote:
>way this market has behaved in the past so it really=20
hasn't seemed like a
quote:
>big deal. With all the worms and viruses hitting us=20
though, that has
quote:
>changed.
>Going back and modifying the released version of the=20
software is a pretty
quote:
>difficult operation, from what I understand. We have=20
done that for the
quote:
>Slammer fix, but apparently this hasn't made that bar as=20
you've suggested it
quote:
>should. It will be done for Yukon, however, so hopefully=20
there is some light
quote:
>at the end of the tunnel.
>Again, I'd like to apologize for my incredibly bad=20
choice of phrasing...
quote:
>--=20
>Sincerely,
>Stephen Dybing
>This posting is provided "AS IS" with no warranties, and=20
confers no rights.
quote:
>Please reply to the newsgroups only, thanks.
>"phil" <anonymous@.discussions.microsoft.com> wrote in=20
message
quote:
>news:059201c3b933$9a9f55f0$a301280a@.phx.gbl...
>Let me say this, anyone who starts a sentence with "Uh,
>.." means their remarks to be condescending, and so I=20
will
quote:|||Stephen, thanks. i guess all I have left to say on this=20
>respond to that attitude...
>I will gladly accept blame for leaving the front door
>open, as you say. Perhaps you can take partial blame for
>advertising that I have the type of house that just might
>leave the front door open. Or one that has a default
>lock that doesn't work.
>You actually think its acceptable behavior that a product
>installed on an operating system can be set in a default
>mode whereas others can use it to launch any process, at
>will, to attack one's machine? And so you might
>ask, "Well, what could Microsoft have done?". Well I
>have just such an answer:
>1. It should have replaced SQL Server 2000 will a
>revised version including all patches in SP3a, not just
>made the patches available and advised customers to
>install it.
>2. And it should have included a revision making it
>impossible to set a blank password.
>Yes, call me stupid or na=EFve (as you so implied), but no
>more stupid than a manufacturer who set up their
>customers for just such a failure, fails to correct it in
>an acceptable way, and then tells the customer its his
>fault.
>I love the arrogance of your response; somehow I would
>guess Mr. Balmer or Mr. Gates might find your arrogance
>equally amusing.
>
>left the front door
>combination when SQL
>under a local
>SQL Server client
>worm that hit a while
>looking for SQL Servers
>keep you from shooting
>passwords. We're doing our
>versions, but we cannot
>existing
>and disable it by
>vulnerability to exist. I
>2000 service pack 3.
>confers no rights.
be[QUOTE]
>has
vunerablity[QUOTE]
but[QUOTE]
>is
public[QUOTE]
my[QUOTE]
>my
>one
>in
>servers
>running
>called
>these
on[QUOTE]
>as
>development
>but
was[QUOTE]
>ran
ports[QUOTE]
>the
>MS
>and
>
>.
>
is simply: wow!
/phil
quote:
>--Original Message--
>Yes, if you don't provide a password on your SA account,=20
anybody able to run
quote:
>"OSQL /Usa /P /S<servername>" (or any other client=20
program of their choice)
quote:
>and connect now has complete control over your SQL=20
Server. And on top of
quote:
>that, that person now has whatever permissions that the=20
account running SQL
quote:
>Server has (because of xp_cmdshell). If it's a local=20
admin, they have
quote:
>complete control over the box. If it's a domain admin,=20
they have complete
quote:
>control over your domain. If it's a domain or local=20
account, they have
quote:
>whatever permission that account has.
>As you have surmised, this is a really big deal.
>--=20
>Sincerely,
>Stephen Dybing
>This posting is provided "AS IS" with no warranties, and=20
confers no rights.
quote:
>Please reply to the newsgroups only, thanks.
>"phil b" <anonymous@.discussions.microsoft.com> wrote in=20
message
quote:sqlsql
>news:018d01c3b9da$6ecf6300$a501280a@.phx.gbl...
>thanks, i appreciate your response. apology accepted.
>one question lingers that seems to have been lost in all
>of this:
>can you tell me if a blank password "sa" account, with
>SP3a installed and otherwise default settings, is known
>to Microsoft to be able to be hijacked and run a process?
>in other words, I don't understand what this "feature" is
>(meaning the ability to launch some process) and whether
>it is a feature to begin with.
>that's really what i wanted to know. the damage is done,
>i'm in clean up mode, and i decided to write in case i
>had discovered some new flaw.
>(i suppose that's why i took immediate offense, because i
>was only interested in informing Microsoft of a new
>potential flaw if it wasn't known already).
>thanks,
>phil
>
>actually was attempting
>Yeah, it sounds
>to.
>in light of our
>changing the default
>that's generally the
>hasn't seemed like a
>though, that has
>software is a pretty
>done that for the
>you've suggested it
>there is some light
>choice of phrasing...
>confers no rights.
>message
>will
for[QUOTE]
might[QUOTE]
product[QUOTE]
in[QUOTE]
it[QUOTE]
and[QUOTE]
>be
you[QUOTE]
>vunerablity
>but
>public
the[QUOTE]
>my
infected[QUOTE]
was[QUOTE]
>on
an[QUOTE]
terminate[QUOTE]
in[QUOTE]
IIS[QUOTE]
>was
>ports
were[QUOTE]
by[QUOTE]
the[QUOTE]
>
>.
>
No comments:
Post a Comment