“Microsoft’s policy of relying on software patches to fix major security flaws was questioned Monday after a series of internal e-mails revealed that the software giant’s own network wasn’t immune from a worm that struck the Internet last weekend.
The messages seen by CNET News.com portray a company struggling with a massive infection by the SQL Slammer worm, which inundated many corporate networks Saturday with steady streams of data that downed Internet connections and clogged bandwidth.
‘All apps and services are potentially affected and performance is sporadic at best,’ Mike Carlson, director of data center operations for Microsoft’s Information Technology Group, stated in an e-mail sent at 8:04 a.m. PST Saturday to other members of Microsoft’s operations groups. ‘The network is essentially flooded with traffic, making it difficult to gather details concerning the impact.’
The messages put Microsoft in an awkward position: The company relies on customers to patch security flaws but the events of last weekend show that even it is vulnerable. In this case, Microsoft urged customers to fix a vulnerability in the SQL Server 2000 software, but it apparently hadn’t taken its own advice. Moreover, despite its 1-year-old security push, the software giant still had critical servers vulnerable to Internet attacks.
‘This shows that the notion of patching doesn’t work,’ said Bruce Schneier, chief technology officer for network protection firm Counterpane Internet Security. ‘Publicly, they are saying it’s not our fault, because you should have patched. But Microsoft’s own actions show that you can’t reasonably expect people to be able to keep up with patches,'” reports Robert Lemos for CNET News.com. Full story here.