back to article Security pros groan as zero-day hits Microsoft's SQL Server

Yet another zero-day vulnerability has been identified in a popular Microsoft product, this time in its SQL Server database. The revelation comes as miscreants are stepping up attacks on a particularly nasty bug in the latest version of Internet Explorer. The SQL Server bug could allow the remote execution of malicious code, …

COMMENTS

This topic is closed for new posts.
  1. Moss Icely Spaceport
    Stop

    Makes sense to me

    "The best way to protect yourself against the IE attack is to stop using the browser until it's been patched."

    Surely the words: .."until it's been patched." are redundant?

  2. Frumious Bandersnatch
    Thumb Down

    Zero day?

    Huh? If the bug was known about in April, how on earth does it qualify as a zero-day sploit?

  3. Kanhef

    Stated differently

    "The best way to protect yourself against the IE attack is to stop using the browser until it's been patched."

    is equivalent to

    while (true) {

    don't use IE

    }

    since "l it's been patched" always evaluates to false.

  4. Anonymous Coward
    Paris Hilton

    zero-day

    So, "Microsoft was alerted to the bug in April, according to SEC Consult." yet it's being reported as zero-day.

    According to that logic, 0 == 241±15

    Damn; all my logic and boolean typecasting are fubar'd

  5. Tom Silver badge

    Still trying to sell the myth

    that computing can be made easy.

    It always amused me that people buy the line that by taking away the hard bits in computing you can somehow make good use of a computer. Its a bit like taking the wheels off a car as they give you too many options and require planning ahead. You might have a nice safe place to sit but it gets you nowhere.

    That is assuming MS took away sensible security measures from SQLServer to make it 'easier' to use. Another possibility is 'they just dont understand' and thats looking more likely day by day.

  6. Matt D
    Alert

    Workaround not suitable for SQL 2005

    As stated by Microsoft at http://msdn.microsoft.com/en-us/library/ms189506(SQL.90).aspx

    In SQL Server 2005, sp_dropextendedproc does not drop system extended stored procedures. Instead, the system administrator should deny EXECUTE permission on the extended stored procedure to the public role. In SQL Server 2000, sp_dropextendedproc could be used to drop any extended stored procedure.

    So the stated workaround is OK for SQL 2000, but you can't drop the procedure on 2005, only deny Execute permissions.

    HTH

  7. Destroy All Monsters Silver badge
    Dead Vulture

    "Zero-day vulnerability" has a clear meaning....

    Let's use Wikipedia (insert obligatory "is a cult" outcry here, for more effect):

    "Zero-day exploits are released before the vendor patch is released to the public. Zero-day exploits generally circulate through the ranks of attackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor [1]."

    According to the article, the SQL server _could_ be exploited and apparently _was_ in a laboratory setting. No exploits are known in the wild. So no Zero day.

  8. James Pickett
    Gates Horns

    Typo

    "stop using OUR browser", surely?

  9. alvaro

    ok, and?

    this info can't hardly be taken as new. so, a (nother) bug in a microsoft product. anyone surprised? :P

  10. RichardB
    Stop

    hang on

    1)You have to be authenticated

    2)You have to be able to pass it a command

    So yeah, its a vulnerabilty for people who open themselves to SQL injection attacks already. Well whoopee. I would assume anyone open to SQL Injection is running its webservers with close to sysadmin rights anyway, and xp_cmdshell enabled.

    So the excitement is fairly limited, as they say.

    The real lesson from this advisory is if you are fairly tight on security anyway, a simple escalation of rights on this proc should see you right.

    Bit of a non story, shouldn't have got past the ms advisories.

  11. Loki

    Biggerst problem here is....

    How many users dont read articles like this or the MS advisory articles?

    A vast majority? Therefore the vast majority will remain vulnerable (unless they use another browser by default).

    The whole system is flawed and other browsers also have their problems, but at least Firefox does auto-update and patches are generally fairly quick and big bugs not too common.

    Still, i do quite often skip updates when faced with the eternal dilemma of choosing between (A) patch, or (B) surf for porn.

  12. Anonymous Coward
    Flame

    Generic banal comment

    I thought I'd be the first so everyone else could just shut up.

    Blah Blah Blah MS is trash/wankers, Linux/Apple/Opera/Firefox are good and totally infallible. Use Firefox with NoScript not IE (OK, I kinda do endorse that one)

    Now that it's been said, everyone else can spend their precious energies attacking something else.

  13. muttley
    Dead Vulture

    IE7 => Protected mode in Vista = no vuln

    Unless I've got that completely wrong - and protected mode is the default setting for the Internet zone security.

    FUDtastic.

  14. Anonymous Coward
    Pirate

    "Microsoft has a list of recommendations"

    LOL. Yeh. We have a list of recommendations for Microsoft, too. But most of them end in "off".

    Meanwhile, as far as security goes, the only recommendation anyone needs is "Sod IE, use FF and NoScript". And in this particular case, even NoScript isn't important.

    I forget where I found the link, but one of the sites I was browsing in the past day or two had a screenshot of the web control panel for the fiesta exploit kit that includes this new 0-day. Biiig long list of user agents visiting vs. number of times the downloadable was fetched; impressive list of zeros next to everything except IE. (Interestingly enough there were two downloads from clients with Opera UA strings, but those could easily have been deliberate downloads by security researchers wanting to study the infector).

  15. Thom Brown
    Linux

    Re: Generic banal comment

    "Now that it's been said, everyone else can spend their precious energies attacking something else."

    Like when a fireman stops trying to put out a fire when he thinks he's used enough water, even if the flames are still spreading.

  16. Doug
    Gates Horns

    definition of a zero-day exploit ..

    "Huh? If the bug was known about in April, how on earth does it qualify as a zero-day sploit?", Frumious Bandersnatch

    Because there is as yet, no known patch and exploits have been available since Nov 15, that's a window of at lest seven months, and they didn't tell the rest of us until the inadventent publication of exploit code after the last patch-tuesday failed to address the bug.

    http://www.theregister.co.uk/2008/12/11/ie7_exploit_leak/

  17. Doug
    Linux

    a simple question ..

    OK, a bug in the sp_replwritetovarbin stored procedure can lead to someone, over the web, compromising a database by entering code instead of data into a search box. The code being injected through the use of 'uninitialized variables'.

    This is possible because of the way processes interact on the Operating System. My question is a simple one: Is it possible for the worlds chief software architects to design a system that doesn't fallover because someone forgot to test for some un-initialised variables ?

  18. Anonymous Coward
    Thumb Down

    @Thom Brown

    Actually I was thinking more like when a fireman orders everyone out of the building because it's a lost cause, there's no neighboring properties, the building is abandoned anyway, and it's been the site of multiple previous arson fires.

This topic is closed for new posts.

Other stories you might like