Arbour Networks knows a thing or two about internet security as their gear is used by most top tier ISPs. They run an interesting internet threat analysis service at http://atlas.arbor.net/. I’ve been watching it for the past couple of weeks. During this time Microsoft SQL Server has consistently been the top attack target. Not only has SQL Server been a consistent target, it has been a target for over 50% of all attacks.
Now, I don’t want to come across as bashing SQL Server. I am not one of those people who will claim that Microsoft code is less secure than that of its competitors. I don’t think SQL Serer is any less secure than say Oracle or DB2 (here, I said it). I also have to give Microsoft credit for addressing security issues promptly. Oracle, on the other hand has not addressed any security vulnerabilities in Oracle XE despite the fact that there are hundreds known vulnerabilities. I had to uninstall Oracle XE because our network scanners detect back-level Oracle code and Oracle XE does not have any updates.
The SQL Server that is being attacked by this exploit is SQL Server 2000 and MSDE or Microsoft Desktop Engine i.e. the previous free database from Microsoft that has since been replaced by SQL Server Express Edition. So, the problem is not that Microsoft is releasing SQL Server with security vulnerabilities or that they don’t fix these vulnerabilities … they do. I think there are two factors at play here. First is that SQL Server is a very popular product and that in itself makes it a target. The second is that while the fixes may be available, they are not consistently applied by the users of SQL Server. For those that are diligent in maintaining their systems and keeping them up to date, these attacks should not present an issue. However, if you are an ISV that wants to embed SQL Server as part of your own solution the popularity of SQL Server could be a troubling thing. Basically, by shipping SQL Server as part of your solution you are painting a nice bright target on your software as well. Once the software is installed at your customer site, you can count on it being a target by any attacker who can identify that you have SQL Server under the covers. And, if they have an exploit that was created after shipped your product, you will have to figure out how to protect each one of your customers.
Popularity has its price!