bit-tech.net

SQL Server on security alert

SQL Server on security alert

The severity of the security flaw discovered in Microsoft's SQL server is such that it could lead to another Slammer worm if left unpatched.

Microsoft is currently investigating what appears to be a rather worrying remotely executable exploit for its SQL Server database product, similar to that which spawned the Slammer worm back in 2003.

An advisory posted to the company's TechNet site on Monday gave details of an investigation into “new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (Wyukon).

According to CNet the flaw being scrutinised is the same as was published by Bernhard Mueller of the SEC Consult Vulnerability Lab on the 4th of December. In the vulnerability disclosure Mueller reveals that Microsoft has known about the issue since April this year, and has a fix which “has been completed[, but] the release schedule for this fix is currently unknown.

It's something Microsoft will be wanting to get out of the door as soon as possible: Mueller included test exploit code as part of his disclosure, which makes things a lot easier for an attacker to start to hunt down vulnerable systems. Thankfully, the issue is somewhat mitigated by the presence of an unofficial workaround: as a database administrator, execute the SQL statement “execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'” to block the hole.

With similar remotely executable holes in Microsoft's SQL server being used to spread rather nasty worms in the past, the company will no doubt be hoping that it can get a patch tested and made available before something really nasty gets through.

Do we have any database admins reading who are sick of the number of security bulletins Microsoft seems to issue for SQL Server, or is it the best of a bad bunch? Share your thoughts over in the forums.

3 Comments

Discuss in the forums Reply
sfrigard 24th December 2008, 14:33 Quote
I am a DBA and find the comments at the end on this article nothing short of flame baiting. According to Secunia, SQL Server 2005 has had only three advisories. The current advisory requires a user to successfully logon to SQL Server in order to exploit. You mention that there is an unofficial workaround requiring the dropping of the extended procedure. You fail to mention that installing Service Pack 3 for SQL Server also resolves this issue. Please, do your research next time.
n3mo 24th December 2008, 17:22 Quote
This way or another working with SQL Server was the worst time of my life, a real pain in the ass. Only worse thing I can think of is Oracle.
Firehed 24th December 2008, 23:05 Quote
I hate working with SQL server, but more often than not any SQL security issues are much more related to interacting with the DB at the app level than the server itself (not sanitizing user-provided data, etc).
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums