A new SQL Server worm is making the rounds. The 'sploit? SQL Server installations that never set a password for the sa account. It hearkens back to the days of VAXen that shipped with three accounts: SYSTEM/MANAGER, FIELD/SERVICE and USER/USER. Given the raw power of the SYSTEM account, it's surprising that many sites never reset the password from MANAGER. It's at least as stupifying that SQL Server admins aren't setting any password for the DBA account...
