| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Security note: MS SQL is current worm vector |
| Date: | 2001-11-25 05:20:17 |
| Message-ID: | 2898.1006665617@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
According to incidents.org, a new worm that infects MS SQL servers
is currently spreading fast, and it's being used to lauch distributed
denial-of-service attacks against various sites: see
http://www.incidents.org/diary/diary.php?id=82
The security flaw that the worm exploits is not, um, deep. It seems
that Microsoft ships MS SQL with a default system-admin account having
the fixed name "sa" and no password. If that hasn't been changed,
anyone can do anything they want using the server machine.
While Microsoft's carelessness about security is (justly) infamous,
I'm not as inclined to say "Redmond is a bunch of bozos" as "there
but for the grace of God go we". This is a heads-up that security
issues *do* matter, even for databases.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dalibor Andzakovic | 2001-11-25 08:35:02 | Re: Security note: MS SQL is current worm vector |
| Previous Message | Tom Lane | 2001-11-25 02:40:25 | anoncvs busted (was Re: v7.2b3 packages rebuilt ...) |