how-to block ads
|
guycad$
In Search Of Free Speech
Premium
join:2002-05-02
Pompton Lakes, NJ
| Tell us somthing we don't know. RE: SQL Security
There's already been some talk of SQL security patches in LinkLoggers thread here: »New Worm - UDP 1434 - SQL Server Monitor??
But this is really tangental to that and deserves it's own thread.
From the article here: »finance.lycos.com/home/news/stor···31168037
quote:
Microsoft Corp. itself was exposed to the virus-like attack that crippled global Internet activity last weekend because it failed to install crucial fixes to its own software on many Microsoft computer servers.
Although Microsoft contends its failure to keep up with its own updates did not cause major problems, security experts said it points to a larger issue: Microsoft's process for keeping customers' software secure is hugely flawed.
...
"On the one hand, Microsoft's been saying it's the customer's fault for not patching their networks," but the company's own failure to do so "show(s) how unrealistic that expectation is. It's very much like blaming the victim." (emphasis is mine)
Although others contend software patches can be an effective way to provide security, Microsoft needs to make them easier, said Marc Maiffret, chief hacking officer of eEye Digital Security Inc.
SQL Server patches in particular can be difficult, time-consuming and error-prone to the point where they may cause the program to fail, Schneier said.
Miller acknowledged that the process isn't simple and could be improved. Although Microsoft wants to ensure that its software is built more securely from the start, he said 100 percent security is an elusive goal.
"There's never going to be a day when ... software that is developed by humans is flawless," he said.
--
Gain a competitive advantage. Encourage your business rivals to buy Windows. | |
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Thank you.
Personally, as someone who spends the first hour of every single day checking up on security issues, insuring that there's nothing I need to patch that day, or otherwise seeing what issues I need to keep in mind, I get a little tired of all these weasels crawling out of the woodwork suddenly just blindly declaring "you idiot admins! Can't you even just run Windows update every now and again?"
It's not that easy; It's not NEARLY that easy. Much of the time, it's almost impossible to know what should or should not be installed. Installing a patch on SQL Server is NOT anything like patching Internet Explorer. First, there's nothing at all remotely like Windows Update or Office Update for SQL Server (or most of the other similar server products). Second, even once you do identify and download patches, they frequently do not include update software... instead including a list of files to backup, overwrite, and other things required in order to install.
Now some might say that doing those things are part of a server admin's job, and I would absolutely agree; But as the article quoted above notes... it's so complicated, the company that produces the stuff can't get it right.
And then there's even more to add to this. In smaller shops, it's frequently one person's responsibility not only to install software, implement security policies, update software, and manage the day-to-day operations, but also to keep up on ALL of the security issues related to ALL the software on their network. Let your boss 'catch' you 'browsing the web' too much (which is much of what it takes to keep up on this stuff) and you're likely to find even MORE piled on you.
Microsoft generally does a good job making the very basic things you do easy, on a computer. Sometimes this has been misleading - such as how people think how easy Windows is, so they assume that it's just as easy for them to set up a Windows server. Code Red should have burst that bubble... and Slammer should further extinguish it. But Microsoft does need to do a better job not only to notify people about the avilability of patches, but about what patches are included in what packages (something they STILL are confusing with their more recent notices about this whole thing).. and finally by including setup programs with the patches, where possible.
Bleh! | |
|
