In his most recent publication (“The Database Exposure Survey 2007 ”, November 12, 2007) , David Litchfield conducted a survey on how many database servers exist on the internet and are listening on their default TCP ports and are not protected by a firewall. According to the survey, 157 SQL Servers were found and 53 Oracle Servers were found. Below are key findings as reported in his survey.
• 4% SQL Server systems were found to be completely unpatched.
• 66% Oracle Server systems were running versions known to be vulnerable to critical vulnerabilities.
For me the real problem is not that so many servers are directly connected to the Internet - perhaps (or hopefully) there is a good reason for that, but if I would expose those machines directly to the Internet, I would at least kepp them up to date!