A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.

Today we link up with another ZDNet blog, this one written by Ryan Naraine and outlining yesterday’s disturbing story about a well-known hacker’s revelation that 492,000 Oracle and SQL servers are unprotected.

The number is alarming considering recent efforts to better secure such servers via improved firewall protection, among other measures.

Of the SQL Servers found, more than 80% were running SQL Server 2000 and of those, only 46% were running Service Pack 4, the most recent, and the remainder were running Service Pack 3a or less. “Indeed, 4% were found to be completely unpatched and are vulnerable to the flaw exploited by the Slammer worm as well as an authentication flaw known as the ‘Hello bug’,” Litchfield added. …

“These findings represent a significant risk: whilst it’s not possible to say how many of these systems are engaged in a commercial function, with just under half a million servers accessible there is clearly potential for external hackers and criminals to gain access to these systems and to sensitive information,” he warned.

Read the real deal here.