Security pros groan as zero-day hits Microsoft's SQL Server Yet another zero-day vulnerability has been identified in a popular Microsoft product, this time in its SQL Server database. The revelation comes as miscreants are stepping up attacks on a particularly nasty bug in the latest version of Internet Explorer. The SQL Server bug could allow the remote execution of malicious code, …
that computing can be made easy.
It always amused me that people buy the line that by taking away the hard bits in computing you can somehow make good use of a computer. Its a bit like taking the wheels off a car as they give you too many options and require planning ahead. You might have a nice safe place to sit but it gets you nowhere.
That is assuming MS took away sensible security measures from SQLServer to make it 'easier' to use. Another possibility is 'they just dont understand' and thats looking more likely day by day.
As stated by Microsoft at http://msdn.microsoft.com/en-us/library/ms189506(SQL.90).aspx
In SQL Server 2005, sp_dropextendedproc does not drop system extended stored procedures. Instead, the system administrator should deny EXECUTE permission on the extended stored procedure to the public role. In SQL Server 2000, sp_dropextendedproc could be used to drop any extended stored procedure.
So the stated workaround is OK for SQL 2000, but you can't drop the procedure on 2005, only deny Execute permissions.
HTH
Let's use Wikipedia (insert obligatory "is a cult" outcry here, for more effect):
"Zero-day exploits are released before the vendor patch is released to the public. Zero-day exploits generally circulate through the ranks of attackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor [1]."
According to the article, the SQL server _could_ be exploited and apparently _was_ in a laboratory setting. No exploits are known in the wild. So no Zero day.
1)You have to be authenticated
2)You have to be able to pass it a command
So yeah, its a vulnerabilty for people who open themselves to SQL injection attacks already. Well whoopee. I would assume anyone open to SQL Injection is running its webservers with close to sysadmin rights anyway, and xp_cmdshell enabled.
So the excitement is fairly limited, as they say.
The real lesson from this advisory is if you are fairly tight on security anyway, a simple escalation of rights on this proc should see you right.
Bit of a non story, shouldn't have got past the ms advisories.
How many users dont read articles like this or the MS advisory articles?
A vast majority? Therefore the vast majority will remain vulnerable (unless they use another browser by default).
The whole system is flawed and other browsers also have their problems, but at least Firefox does auto-update and patches are generally fairly quick and big bugs not too common.
Still, i do quite often skip updates when faced with the eternal dilemma of choosing between (A) patch, or (B) surf for porn.
I thought I'd be the first so everyone else could just shut up.
Blah Blah Blah MS is trash/wankers, Linux/Apple/Opera/Firefox are good and totally infallible. Use Firefox with NoScript not IE (OK, I kinda do endorse that one)
Now that it's been said, everyone else can spend their precious energies attacking something else.
LOL. Yeh. We have a list of recommendations for Microsoft, too. But most of them end in "off".
Meanwhile, as far as security goes, the only recommendation anyone needs is "Sod IE, use FF and NoScript". And in this particular case, even NoScript isn't important.
I forget where I found the link, but one of the sites I was browsing in the past day or two had a screenshot of the web control panel for the fiesta exploit kit that includes this new 0-day. Biiig long list of user agents visiting vs. number of times the downloadable was fetched; impressive list of zeros next to everything except IE. (Interestingly enough there were two downloads from clients with Opera UA strings, but those could easily have been deliberate downloads by security researchers wanting to study the infector).
"Huh? If the bug was known about in April, how on earth does it qualify as a zero-day sploit?", Frumious Bandersnatch
Because there is as yet, no known patch and exploits have been available since Nov 15, that's a window of at lest seven months, and they didn't tell the rest of us until the inadventent publication of exploit code after the last patch-tuesday failed to address the bug.
http://www.theregister.co.uk/2008/12/11/ie7_exploit_leak/
OK, a bug in the sp_replwritetovarbin stored procedure can lead to someone, over the web, compromising a database by entering code instead of data into a search box. The code being injected through the use of 'uninitialized variables'.
This is possible because of the way processes interact on the Operating System. My question is a simple one: Is it possible for the worlds chief software architects to design a system that doesn't fallover because someone forgot to test for some un-initialised variables ?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
