Microsoft has SQL Fix?
by Taylor Flatt on December 24th, 2008 at 1:50 pm EDT - 324 views
Since April, Microsoft has allegedly been working on a fix for this bug but according to Bernhard Mueller, Microsoft has had a fix for this bug for months. So why, might I ask, have they not released this fix or better yet, informed the community about this fix? Although speculation has risen on the actual time of release, many think it will be released at their next update session which is roughly 3 weeks from today.
I, for one, am outraged by this who scenario. Like that of the IE bug, this is a serious problem that needs addressed. Even though Microsoft claims this hasn’t been exploited fully, that is no reason to not release an emergancy update for this half a year problem.
However, Microsoft has acted in a very nondynamic way by issuing a statement urging their users to grab a work around script that automatically denies permissions to certain parts of the database so that the chances of explotation are less.
What are your comments and questions about this? For more information, click here.
- 
0 CommentsSQL Server’s Security Fix Not Released
by Joel Borhart on December 23rd, 2008 at 1:33 pm EDT - 237 views
On April 17, 2008, an Australian Security company called SEC Consult found a bug in the SQL Server Database program. SQL Server Database lets you run a server on any machine its installed on, often used for Internet web severs. After informing Microsoft of problem with this program, SEC Consult published the flaw and the exploit code two weeks ago, hoping to prompt quicker action from Microsoft. In response to this, a Microsoft spokesman, Bill Sisk, said this on Monday, “We are aware that exploit code has been published on the Internet. However, we are not aware of any attacks attempting to use the reported vulnerability.”
The bug in the SQL Server is a leak that can lead to the server being taken control of. An SQL injection attack on a vulnerable web program can be used to exploit this bug. SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) are the versions of the SQL Server that are at risk. Newer versions like SQL Server 7.0 Service Pack 4 (SP4), SQL Server 2005 SP3 and SQL Server 2008 have the bug fixed.
If you are using a version of the SQL Server Database that is vulnerable, Microsoft has posted a quick fix to the problem. Denying permissions to the sp_replwritetovarbin extended stored procedure should keep you safe until the patch it released.