SQL Server’s Security Fix Not Released

by Joel Borhart on December 23rd, 2008 at 1:33 pm EDT - 186 views

On April 17, 2008, an Australian Security company called SEC Consult found a bug in the SQL Server Database program.  SQL Server Database lets you run a server on any machine its installed on, often used for Internet web severs.  After informing Microsoft of problem with this program, SEC Consult published the flaw and the exploit code two weeks ago, hoping to prompt quicker action from Microsoft.  In response to this, a Microsoft spokesman, Bill Sisk, said this on Monday,  “We are aware that exploit code has been published on the Internet.  However, we are not aware of any attacks attempting to use the reported vulnerability.”

The bug in the SQL Server is a leak that can lead to the server being taken control of.  An SQL injection attack on a vulnerable web program can be used to exploit this bug.  SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) are the versions of the SQL Server that are at risk.  Newer versions like SQL Server 7.0 Service Pack 4 (SP4), SQL Server 2005 SP3 and SQL Server 2008 have the bug fixed.

If you are using a version of the SQL Server Database that is vulnerable, Microsoft has posted a quick fix to the problem.  Denying permissions to the sp_replwritetovarbin extended stored procedure should keep you safe until the patch it released.

Security Update