Keith Devens .com

Yeah, I was talking with my brother last night about it. He's in tech support for SQL Server with MS. Pretty funny that MS themselves don't even apply their own patches.

"That the company has SQL servers on the desktop is not surprising, he added. Many of its developers run the database on their PCs, and other test machines have vulnerable databases installed to replicate customer networks. Devenuti didn't know how the worm got into the system to affect those servers, however."

Everyone has a TON of machines in their office; the average for developers is probably above 3, and that's the average. Lots of these will end up being test machines with different OS/software configurations, some of which are used rarely. You'll end up with old machines still connected to the network under a desk, because you got newer machines but never got around to cleaning it off and removing it.

Any one of these upteen machines on the network is of course a security risk if it hasn't been patched. And configuration testing makes this even more of a nightmare. (You have to patch and recreate your disk images.)

Not that any of this is an excuse, but there are always going to be plenty of people (and not just at Microsoft of course) who need to run server apps for development or testing who aren't admins with a "keep it bulletproof" attitude.

And buffer overrun bugs that allow arbitrary code to execute are going to be around for quite a while too, unfortunately.

The usual vector for virus hits inside companies that are otherwise firewalled is employees hooking up laptops to the corporate network. Like downloading some mail at home in the morning then reading it at lunch--POW! Code Red infection even if your outside firewall blocks attachments.

I still have to acknowledge the hilarity of Microsoft being hit by an exploit they had a patch already issued to prevent against. Obviously it's going to happen, just on sheer quantity and probability, as Adam points out above, but it's still damn funny. I got a chuckle, at least.