Re: Security note: MS SQL is current worm vector

From: Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Security note: MS SQL is current worm vector
Date: 2001-11-25 08:35:52
Message-ID: 3.0.5.32.20011125163552.015582f0@192.228.128.13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Yeah, by default Postgresql ships practically without any access controls.

Fortunately most self compiled Postgresql installations don't have remote
access enabled (I have long assumed that on most Unix or Unixlike systems
local users = root users, so postgresql's lack of local user security by
default isn't that big an issue).

I have no experience with prepackaged Postgresql installations.

Anyway most DB installations should be behind firewalls. That said many
microsoft users may not even know they have a DB installation, let alone
that they need to set a password ;).

Cheerio,
Link.

At 12:20 AM 11/25/01 -0500, Tom Lane wrote:
>According to incidents.org, a new worm that infects MS SQL servers
>is currently spreading fast, and it's being used to lauch distributed
>denial-of-service attacks against various sites: see
>http://www.incidents.org/diary/diary.php?id=82
>
>The security flaw that the worm exploits is not, um, deep. It seems
>that Microsoft ships MS SQL with a default system-admin account having
>the fixed name "sa" and no password. If that hasn't been changed,
>anyone can do anything they want using the server machine.
>
>While Microsoft's carelessness about security is (justly) infamous,
>I'm not as inclined to say "Redmond is a bunch of bozos" as "there
>but for the grace of God go we". This is a heads-up that security
>issues *do* matter, even for databases.
>
> regards, tom lane
>
>---------------------------(end of broadcast)---------------------------
>TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>
>

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Lee Crampton 2001-11-25 11:54:20 Re: Setting up MAKE file for Postgres and C++/Newbie question
Previous Message Dalibor Andzakovic 2001-11-25 08:35:02 Re: Security note: MS SQL is current worm vector