Open source database software maker MySQL AB warned its users to tighten security Thursday, after news broke about a new Internet worm that targets the popular relational database, according to a company executive. The company is looking at making bigger changes to harden its product against future attacks, the executive said.
After spending much of Thursday reaching out to its users about how to protect themselves from the new threat, a version of the Forbot network worm, the company said it is working on bigger security fixes, including automatic update features that can push out software changes, and improvements to the default installation that will make the product harder to crack in the future, said Zack Urlocker, vice president of marketing at MySQL AB.
The actions come one day after a new version of the Forbot network worm, Forbot-DY, began infecting Microsoft Windows machines running MySQL. The worm, which also has Trojan horse features, infects machines by breaking into the default administrator (or "root") account password. With access to the MySQL root account, Forbot was programmed to use a recently-discovered exploit called the MySQL UDF Dynamic Library Exploit to upload and install malicious code to the infected system.
At the height of the outbreak Thursday, more than 8,000 MySQL machines were believed to be infected with Forbot, according to Johannes Ullrich at The SANS Institute's Internet Storm Center.
The worm took advantage of people who left their MySQL server unsecured, but also benefitted from features designed to make MySQL easy to install and use, said Urlocker. "In the past, our goal was to have MySQL up and running 15 minutes," he said.
For example, the default root account password is blank. MySQL also allows users to log in as root remotely by default, a feature that was integral to Forbot-DY's spread, according to security experts.
In the wake of the worm, MySQL is revaluating whether security should trump convenience in future releases, Urlocker said. "If we need stricter passwords or services out of the box to help people monitor (security) issues, we'll look at that," Urlocker said.
The company has been working on an automatic software update feature that could push out patches for security vulnerabilities for around nine months. MySQL may also shut off the remote access feature by default, rather than have it enabled, he said.
However, Urlocker defended the company's stance on security, saying that MySQL added a feature in its recent 4.1 software release that prompts users to change the default root password during installation, he said.
For now, however, MySQL is still trying to spread the word to its customers about the new worm and get them to take precautions to protect themselves, such as changing the root account password, installing a firewall and preventing remote access to MySQL servers.
Companies should consider inventorying their network to make sure they aren't using vulnerable machines, even if they don't believe they are running MySQL, said Eric Gonzales, co-founder of Application Security. "We've seen MySQL used as the backend on lots of applications, including backup and trading systems. And people don't really know its there," he said.
The powerful database software is free to download, which makes it more likely that employees may have loaded a copy on their desktop or laptop computers to tinker with, and then forgotten about it, Gonzales said. In addition to inventorying all MySQL installations, administrators should monitor their IDS (intrusion detection systems) for suspect MySQL traffic on port 3306, he said.