bradchoate.com

Ok, it's been 20+ hours since the Microsoft SQL Server worm went active as reported here on Slashdot. This worm takes advantage of an exploit that was publicized last July by NGSSoftware. Fortunately, Microsoft has a service pack for it -- Service Pack 3 specifically. Which just happened to be released last week. Timely.

Now you'd think Microsoft would have something to say to their customers about all this, since an exploit in their software practically brought the Internet to its knees. But the Microsoft home page says nothing about it. They're too busy touting a new game they've made, tips on how to get your customer's email address and ironically, a whitepaper on how to build and configure more secure web sites. Even their Microsoft Security and Privacy site says nothing about the SQL Server worm.

Maybe they think if they just ignore it, it will go away. Or perhaps they feel that since the service pack is out there, shame on you for not installing it. Well, while those of you that have been afflicted with this worm install the service pack, you can read Bill's report: "Security in a Connected World".

Dave Winer is tickled pink that the independent web documented all this faster and better than the traditional media did. But it's sad that Microsoft hasn't written a word about it -- at least so far as I've seen anyway. And as some of the Slashdot readers have already asked -- why isn't SQL Server supported by Windows Update? They have a pretty good software update system in place for Windows (which SQL Server requires naturally), but they only use it for Windows itself. Why not all the other installed Microsoft products. What a waste. There are tons of Microsoft patches to install -- the least they can do is make it easier to stay current.