ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft confirms critical SQL Server vulnerability

By | December 22, 2008, 5:00pm PST

Summary: Microsoft late Monday issued a pre-patch advisory confirming a remote code execution vulnerability affecting its SQL Server line. The vulnerability, publicly disclosed with exploit code more than two weeks ago, affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server [...]

MS confirms SQL Server vulnerability, posts workaroundsMicrosoft late Monday issued a pre-patch advisory confirming a remote code execution vulnerability affecting its SQL Server line.

The vulnerability, publicly disclosed with exploit code more than two weeks ago, affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

From the advisory:

[ SEE: As attacks escalate, MS readies emergency IE patch  ]

Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.

In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary.

[ SEE: MS Patch Tuesday whopper: 28 vulnerabilities in Windows, IE, Office  ]

The vulnerability is not exposed anonymously. An attacker would need to either authenticate to exploit the vulnerability or take advantage of a SQL injection vulnerability in a Web application that is able to authenticate, Microsoft explained.

A T-SQL script is available to test systems for this issue.  In the absence of a patch, Microsoft recommends that SQL Server admins deny permissions on the sp_replwritetovarbin extended stored procedure.  See more in the Microsoft advisory.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Microsoft SQL Server, Vulnerability, Server, Exploit Code, Microsoft Corp., Microsoft SQL Server 2005, Databases, Enterprise Software, Security, Software, Data Management, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
16
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft confirms critical SQL Server vulnerability
lovedong 12th Sep
Haha grin Thanks for the comment ^^ Glad u liked it ~ replica watches
View in thread
0 Votes
+ -
Wrong logo?
LBiege 22nd Dec 2008
That logo at the start of the article is for Sql Server 2008 while it's not on the list affected by the vulnerability.
0 Votes
+ -
RE: Microsoft confirms critical SQL Server vulnerability
lovedong 12th Sep
Haha grin Thanks for the comment ^^ Glad u liked it ~ replica watches
0 Votes
+ -
The correct logo should be a sieve.
V@... Updated - 23rd Dec 2008
2009 New Year's resolution:
getting off the bug-ridden gravy train
0 Votes
+ -
I wouldn't give up on OSS yet.
ye 23rd Dec 2008
OSS is good software and just because it has bugs doesn't make it worse than any other software. My recommendation would be to stay with it.
0 Votes
+ -
Jumping from the frying pan into the fire
LBiege 23rd Dec 2008
That's what it is like when switching from M$ solutions into something else like MySql, PostGRE and so on.
0 Votes
+ -
I had quite the opposite experience...
storm14k Updated - 23rd Dec 2008
...*shrugs* As a matter of fact I'm pretty close to suggesting that we start bringing in MySQL for new projects that are database agnostic and eventually move the others as well. Too many problem crop up with SQL server....far more than I have ever had with a MySQL environment.
0 Votes
+ -
Good one
Chad_z 23rd Dec 2008
I've used both MySQL and SQL Server and after a bit of transition adjustment, I greatly prefer MySQL.

Did miss Enterprise Mangler a little. Some things are easier to do in a visual environment and I don't count phpmyadmin as a visual environment. It's more like a visual crutch for people who can't deal with a command line.

But as far as transactional scalability goes, MySQL rocks. It's very powerful.

SQL Server used to be a great product until MS started jacking the license fees and charging for CALS on top of that. Clustering a SQL Server environment is a spendy proposition these days. License fees for the OS it runs on, more license fees for the product, CALS, anti-virus subscriptions, and you can double all that plus the cost of clustering software if you need more than one.

I'm a little nervous about Sun being involved with MySQL. Not sure I trust them not to muck it up. But it's still better than dancing on Microsoft's string.

Pay no attention to Ye/No_Ax/Bit_Byte or whatever name he goes by these days. He's never actually worked in both environments, despite his claim to the contrary. Otherwise he wouldn't run down MySQL. It's a great product.
0 Votes
+ -
Anti-OSS Trolls
V@... 23rd Dec 2008
haven't a clue how to get the most out of OSS.


I certainly wouldn't expect a bug to survive 9 years in the open-source community.
0 Votes
+ -
At least by 2003 ...
LBiege Updated - 23rd Dec 2008
Sql Server provided transactions, stored procs and a whole host of stuff MySql cannot do.

And security? What security? let's see: Sql Server is C2 certificated way back in Sql Server 2000 days. When is MySql C2 certified if ever at all? Now let's talk about security, shall we? LOL.

When it comes to quality, you don't put MySql in one sentence with Sql Server. That simple. But just about every time I mention it, some FOSS koolaid addict pulls his head out of sand telling me he doesn't need those features MySql lack of. Hmmm, I figured FOSS software was supposed to match or surpass the proprietary ones. Anyway, fine, just keep the head down there please.
0 Votes
+ -
And...
zkiwi 23rd Dec 2008
With such critical flaws as have been demonstrated, you've got a bit of gall claiming it's secure (as in C2 or whatever). That combined with the other "access point" called Windows, well... security has never really been that high on Microsoft's priority list. Things are changing, but imho it's time for them to "start again" and scrap their existing code-base.

That being said, you've also clearly never heard the phrase "horses for courses." mySQL has its place, as do other products that are out there.
0 Votes
+ -
How's that C2 certification working out for them?
jasonp@... 24th Dec 2008
Oh yeah, that's right. The article was about an actively exploited security bug. I guess if you're willing to spend enough money you can get any product C2 certified.
0 Votes
+ -
C2 Certification
8string 24th Dec 2008
Well, since you brought it up and I was curious, I just reread the criteria overview, and it's not about anything more than having features that an admin could implement if they wanted. It's doesn't really say anything about bugs in the software, probably because all software has bugs. Did I miss something in the criteria?

But, according to http://www.commoncriteriaportal.org/products_DB.html#DB it appears that they, Oracle and many others are C2 certified. I don't know that any of these db's are any 'more secure' than any other db given the nature of the C2 certification, unless you buy into Oracle's old marketing bs of being "unbreakable".

It's interesting though, that you would even bring up C2, as multiple searches in Google would have you think that no one has written much of anything on C2 since about 2005. It's like most people have forgotten about C2, other than a checkoff item on government bids.

How about you, since you brought it up? Do you actually configure your databases for C2 compliance?
0 Votes
+ -
RE: Microsoft confirms critical SQL Server vulnerability
MarkHarrison 24th Dec 2008
I'm amazed to learn that MySQL can't do stored procedures. I guess that all the code we've been rolling out over the last 12 months can't possibly be working happy

I agree that the FL/OSS community tends to trail the commercial software community by often several years, however, I disagree with the idea that FL/OSS "was supposed to match or surpass the proprietary ones."

In my view, the FL/OSS solution has to provide ADEQUATE functionality at a lower total cost... I don't care whether it has X, Y, or Z - I do care whether it does the job or not.

And, for the record, I have different clients both using, and installing, new database servers on both MySQL and MS*SQL - in some cases, one was a clear winner, in others, either would have done the job.


As an aside, comments like "let's talk about security LOL" don't actually cut it when making architectural decisions that might involve hundreds of thousands of pounds of licencing costs. Looking at a security classification a previous version of a product received 8 years ago isn't the way we carry out security reviews.
0 Votes
+ -
RE: Microsoft confirms critical SQL Server vulnerability
Tedscribe@... 24th Dec 2008
Is this another MS Con?
0 Votes
+ -
RE: Microsoft confirms critical SQL Server vulnerability
infoz 24th Dec 2008
C2 refers to a security profile the meets criteria under the superceded Orange Book (TCSEC). These days, it is more informative to refer to Common Criteria (ISO/IEC 15408) or to FIPS 140 certification. Example: CAPP/EAL3

The general usage is that a specific system or product (known as the "Target of Evaluation" or TOE) has been "evaluated" using standard criteria and processes. Evaluation and certification can be expensive: read millions of dollars and several years for each specific case. Even more important is which body provided the certification.

What the Orange Book C2 means is "when it's in an approved configuration the system can be made to be C2-compliant." A C2 certification says that the system installed at location X does meet the C2 requirements: implementation specific. MS shouldn't(!) make the system compliant for you (unless you trust them completely ...).

What does C2 really mean? It means that the system has not been verified to B or A security requirements. Class C provides access control based on data-owner determined permissions. Subclass C1 provides basic features, including passwords, access control, formal quality assurance, and basic documentation. Subclass C2 adds requirements such as audit capability. Many systems today meet C2 criteria. So, making the general statement that it's C2 "certificated" doesn't really count for much since it does not refer to any specific implemenation. The key is not just pointing out an evaluated system but citing a specific implementation/configuration of a useful evaluated system.

For an example certificate see:
http://www.niap-ccevs.org/cc-scheme/st/st_vid4019-ci.pdf

Note that this certificate is for a product that uses MySQL:
http://www.niap-ccevs.org/cc-scheme/st/vid4019/

An informative article:
http://www.gcn.com/print/26_21/44857-1.html
0 Votes
+ -
RE: Microsoft confirms critical SQL Server vulnerability
birumut Updated - 4th May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix