Nearly a half million Oracle and Microsoft SQL database servers could be vulnerable to attack because they are not protected by a firewall and the majority do not have the most recent patches, security researcher David Litchfield told reporters this week.
The estimate is based on a survey of 1,160,000 Internet addresses that extrapolated the results to the Internet at large, according to the ZDNet Zero Day blog. The survey found that 157 Microsoft SQL servers and 53 Oracle servers were not protected by firewalls and used estimates of the Internet's size to calculate that some 368,000 Microsoft SQL servers and 124,000 Oracle servers are open to remote attack, according to an article in PC World.
At least 82 percent of the Microsoft SQL servers were running an older version of the operating system, while 13 percent of the Oracle servers were versions no longer supported by the software maker, the study found.
"I think it's terrible," Litchfield told PCWorld. "We all run around like headless chickens following these data breach headlines (but) organizations out there really don't care."
Both Microsoft and Oracle databases have been targeted in the past by flaw finders, including Litchfield. In 2003, the Slammer worm, which attacked Microsoft SQL Server software, compromised hundreds of thousands of systems, including computers at the Davis-Besse nuclear plant in Ohio. Litchfield and other researchers have criticized Oracle for its perceived slow pace of patching. In 2006, plans for a month dedicated to disclosing Oracle bugs was scuttled.
In 2005, Litchfield published a survey that found approximately 140,000 unprotected Oracle servers and 210,000 unprotected Microsoft servers. Litchfield plans to release the latest study on his Web site on Monday.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos