January 31, 2003 at 3:06 pm
From MS:
This Para is below and important to note:
PLEASE NOTE: The security patches described in MS02-039, MS02-043, MS02-056 and the original release of the security patch described in MS02-061 (released on October 16, 2002) do not contain the Q317748 QFE fix that was subsequently discovered to be required to ensure normal operation of SQL Server. If you have applied any of these security patches and decide to apply the patch from Knowledge Base article Q317748 you must answer "no" if prompted to overwrite files to ensure that you do not overwrite files from the security patch. The re-released security patch for Microsoft Security Bulletin Ms02-061 (released on January 26, 2003) includes the Q317748 QFE fix, and if you have installed this re-released patch, no action is required.
Full Alert:
PSS Security Response Team Alert - Update3: W32.Slammer
UPDATED: January 31, 2003
SEVERITY: IMPORTANT
DATE: January 31, 2003
PRODUCTS AFFECTED: SQL Server 2000 Evaluation Edition, SQL Server 2000 RTM, SQL Server 2000 SP1, SQL Server 2000 SP2, and Microsoft SQL Server Desktop Engine Version (MSDE) 2000 RTM, MSDE 2000 SP1, MSDE 2000 SP2, and all applications that install MSDE 2000 RTM, SP1 or SP2. A list is provided in the following link:
http://www.microsoft.com/technet/security/MSDEapps.asp
WHAT IS IT?
The PSS Security Response Team is issuing this alert to inform customers about the W32.Slammer worm, which is currently spreading in the wild. You are not at risk unless you are running one of the above listed products, including any Microsoft products that include and install MSDE 2000. Customers are advised to review this information and take the appropriate action for their environments.
This alert is primarily focused at business customers.
IMPACT OF ATTACK: Denial of Service
TECHNICAL DETAILS:
W32.Slammer is a memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in SQL Server 2000 systems and systems with MSDE 2000 that have not applied the patch released by Microsoft Security Bulletin MS02-039. This bulletin was first available on July 24, 2002.
This worm is designed to propagate, but does not appear to contain any additional payload.
Please contact your Antivirus Vendor for additional details on this worm.
PREVENTION:
This worm utilizes a previously-announced vulnerability as part of its infection method. The vulnerability used by the worm to infect machines is discussed at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
Depending on which product customers are using there may be different methods Microsoft recommends to secure your product. These are listed below:
Microsoft SQL Server 2000 Evaluation Edition, RTM and SP1 or MSDE 2000 RTM and SP1:
In this configuration Microsoft recommends that customers secure their machines against the W32.Slammer virus using the SQL Server 2000 Security Tools. Information on these tools can be found here:
http://www.microsoft.com/sql/downloads/securitytools.asp
However, Microsoft strongly recommends that customers upgrade to SQL Server 2000 Service Pack 3 or MSDE 2000 SP3 as soon as possible. Information on Service Pack 3 can be found here:
http://www.microsoft.com/sql/downloads/2000/sp3.asp
SQL Server 2000 SP2 or MSDE 2000 SP2:
If a customer has previously successfully installed Microsoft Security Bulletin MS02-039, MS02-043, MS02-056, or MS02-061 they are not vulnerable to infection from the W32.Slammer worm.
If customers have not successfully applied the patches from any of above mentioned security bulletins then Microsoft recommends customers take one of two actions:
Microsoft strongly recommends that customers consider upgrading to SQL Server 2000 Service Pack 3 which contains all the latest fixes for SQL Server 2000. As always, customers should thoroughly test SP3 before installation. Customers using MSDE 2000 should consult this page for instructions on how to upgrade their particular versions of MSDE 2000:
http://www.microsoft.com/technet/security/MSDEapps.asp
(Microsoft is updating this page with instructions for each application as they are provided for each product listed)
Install the most recent cumulative security patch for SQL Server 2000 which is Microsoft Security Bulletin MS02-061 (which will also patch MSDE 2000), and which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS02-039. MS02-061 can be found at:
http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
Due to support issues with certain configurations, customers should install the patch for Microsoft Security Bulletin MS02-061 using the following instructions:
If you are running Windows NT 4.0 Server Service Pack 6a install the patch referenced in Microsoft Knowledgebase Q258437, the Microsoft Knowledge Base can be found at http://support.microsoft.com
Install the security patch associated with Microsoft Security Bulletin MS02-061.
http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
Users can verify installation of this patch by verifying the following files are at version 8.00.568:
ssmslpcn.dll
dbmslpcn.dll
The following file should be at version 8.00.679:
ssnetlib.dll
Automated Deployment of Microsoft Security Bulletin MS02-061:
Customers wishing to automate the deployment of Microsoft Security Bulletin MS02-061 should consider using the SQL Server 2000 Security Tools. Information on these tools can be found here:
http://www.microsoft.com/sql/downloads/securitytools.asp
If you cannot apply any of these patches immediately, the following options can limit propagation of the worm:
Block UDP port 1434 inbound and outbound traffic at your firewalls.
You may also block UDP port 1434 inbound traffic on your SQL Server 2000 Servers or MSDE 2000. Following this instruction may result in support issues as this port performs name resolution.
RECOVERY:
Microsoft recommends customers infected by W32.Slammer utilize one of the following methods to remove the worm from the infected machines:
Automated Removal:
SQL Server 2000 Security Tools can remove the virus from an infected machine and patch it against future infection. Information on these tools can be found here:
http://www.microsoft.com/sql/downloads/securitytools.asp
Manual Removal:
Set the SQL Server Service to Manual.
Reboot the infected machine.
Follow the instructions above in the PREVENTION section regarding how to patch your machine given a particular scenario.
Set the SQL Server Service to Automatic.
If you need further assistance regarding this worm, please contact Microsoft Product Support Services, or your preferred antivirus vendor.
RELATED KB ARTICLES:
http://support.microsoft.com?kbid=813440
An updated article will be made available within 24 hours.
RELATED MICROSOFT SECURITY BULLETINS:
Microsoft recommends customers install the re-released cumulative security patch for SQL Server 2000, which includes the fixes for the vulnerabilities that were announced in Microsoft Security Bulletin MS02-039, to protect against infection by the W32.Slammer worm. The patch can be found here:
http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
Customers who have previously sucessfully installed the patches for Microsoft Security Bulletin MS02-039, MS02-043, MS02-056, MS02-061 are safe from infection by the W32.Slammer worm.
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp
http://www.microsoft.com/technet/security/bulletin/MS02-043.asp
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
PLEASE NOTE: The security patches described in MS02-039, MS02-043, MS02-056 and the original release of the security patch described in MS02-061 (released on October 16, 2002) do not contain the Q317748 QFE fix that was subsequently discovered to be required to ensure normal operation of SQL Server. If you have applied any of these security patches and decide to apply the patch from Knowledge Base article Q317748 you must answer "no" if prompted to overwrite files to ensure that you do not overwrite files from the security patch. The re-released security patch for Microsoft Security Bulletin Ms02-061 (released on January 26, 2003) includes the Q317748 QFE fix, and if you have installed this re-released patch, no action is required.
ADDITIONAL INFORMATION
Microsoft recommends customers upgrade to Microsoft SQL Server 2000 SP3 or MSDE 2000 SP3 which includes the patch associated with Microsoft Security Bulletin MS02-061. As always, customers should thoroughly test SP3 before installation.
Customers using MSDE 2000 should consult this page for instructions on how to upgrade their particular versions of MSDE 2000:
http://www.microsoft.com/technet/security/MSDEapps.asp
(Microsoft is updating this page with instructions for each application as they are provided for each product listed)
Customers with Application Center 2000 should follow the instructions in the following Knowledge Base Article for installation of the updated patch:
http://support.microsoft.com?kbid=813115
Customers using .NET Framework SDK version 1.0 should follow the instructions in the following Knowledge Base Article to upgrade .NET Framework SDK version 1.0 to MSDE SP3
http://msdn.microsoft.com/netframework/downloads/updates/sdkfix/default.asp
As always, please make sure to enable a firewall and use the latest Anti-Virus detection from your Anti-Virus vendor to prevent and detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.
PSS Security Response Team
Steve Jones
February 3, 2003 at 8:00 am
This was removed by the editor as SPAM
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply