Critical update for HyperLab 2002 systems - February 2003

A "critical" vulnerability has been identified in Microsoft SQL Server. Because this database management system is used by HyperLab, it is highly recommended to immediately update the Microsoft SQL Server to the latest version.

SA0301 - Critical Security Fix for Microsoft SQL Server

Problem identifier:"Slammer" worm vulnerability
Problem level:CRITICAL. MUST BE IMMEDIATELY FIXED.
Related products:All HyperLab 2002 versions
Related components:Microsoft Database Engine

Description

Microsoft Database Engine (a special version of Microsoft SQL Server which is shipped with HyperLab) has a critical security hole if it is not upgraded with at least MSSQL Service Pack 2 (SP2). If you run unpatched version of MSDE 2000 on a network without a properly configured firewall, any attacker from the Internet is able to use your machine to attack other computers, thus generating huge amount of network traffic and infecting other vulnerable MSSQL servers. As a result, no user data loss or file corruption occurs, but networks may become practically unusable due to the increased network traffic.

Recommended actions

  • Immediately apply Microsoft's MSDE security patch. The patch against Slammer worm is incorporated into a wizard which may also be downloaded from our website. Click here to start downloading MSDE Critical Update Wizard (11.1 MB). After the download, double click on it, and follow the installation instructions. You can also review the Readme file for this wizard.
  • Install and configure an advanced Internet firewall which prevents any unauthorized acces to your computer from the Internet. Windows XP's standard firewall is also acceptable.

Please note that you may decide to apply MSDE Service Pack 3 (SP3). This SP3 package may be downloaded from our website as a ZIP file (33 MB). When you have downloaded it, unpack it into an empty folder, and start Apply_HyperLab_MSDE_Patch.bat file.This will also protect your MSDE installation against the Slammer worm.

After installing the SP3 update, MSDE requires you to specify a non-blank password for "sa" (administrator) database user.

Related information