Sysadmins Used Unpatched Voting Server.

Publicated on : 1179333843
It is one of those not uncommon stories about a few administrators and the lack of patching their systems. In 2006 an electronic voting campaign had to be delayed for a couple of hours, because a variant of the SQL slammer worm propagated the voting processing servers. I read the incident report on a blog today.

The most frightening thing I read was this:
"The SQL Server 2000 application was completely unpatched. Essentially it was missing five years worth of security updates. Among these updates is a patch for a buffer overflow vulnerability that was exploited by the SQL Slammer worm."
an 5 years unpatched SQL server, and remember this is a windows platform so that means hundreds or maybe thousands of patches to install. How is this possible? why didn't they upgrade? I think this happens more as you would like to admit. Personally I had different accounts with different webhosts, none of them bothered to upgrade to new versions of Fedora, RedHat, or PHP5.

Of coarse they have better things to do then to re-install or patch everything. That can mean downtime, angry customers and headaches. They don't really care about the version of Apache or SQL Server, they don't see the risks of SQL injection. It seems that all they ever do is stare at the firewall, thinking that the action is happening over there. Well, as we know they miss out. Hardware and network freaks are missing the boat when it comes to the web-application layer; which becomes more and more dangerous every single day. Still we depend on their patch schedule if we buy hosting.

When are they going to learn that patching is important?