back to article Security pros groan as zero-day hits Microsoft's SQL Server

Yet another zero-day vulnerability has been identified in a popular Microsoft product, this time in its SQL Server database. The revelation comes as miscreants are stepping up attacks on a particularly nasty bug in the latest version of Internet Explorer. The SQL Server bug could allow the remote execution of malicious code, …

COMMENTS

This topic is closed for new posts.
Stop

Makes sense to me

"The best way to protect yourself against the IE attack is to stop using the browser until it's been patched."

Surely the words: .."until it's been patched." are redundant?

0
0
Bronze badge
Thumb Down

Zero day?

Huh? If the bug was known about in April, how on earth does it qualify as a zero-day sploit?

0
0

Stated differently

"The best way to protect yourself against the IE attack is to stop using the browser until it's been patched."

is equivalent to

while (true) {

don't use IE

}

since "l it's been patched" always evaluates to false.

0
0
Paris Hilton

zero-day

So, "Microsoft was alerted to the bug in April, according to SEC Consult." yet it's being reported as zero-day.

According to that logic, 0 == 241±15

Damn; all my logic and boolean typecasting are fubar'd

0
0
Tom
Silver badge

Still trying to sell the myth

that computing can be made easy.

It always amused me that people buy the line that by taking away the hard bits in computing you can somehow make good use of a computer. Its a bit like taking the wheels off a car as they give you too many options and require planning ahead. You might have a nice safe place to sit but it gets you nowhere.

That is assuming MS took away sensible security measures from SQLServer to make it 'easier' to use. Another possibility is 'they just dont understand' and thats looking more likely day by day.

0
0
Alert

Workaround not suitable for SQL 2005

As stated by Microsoft at http://msdn.microsoft.com/en-us/library/ms189506(SQL.90).aspx

In SQL Server 2005, sp_dropextendedproc does not drop system extended stored procedures. Instead, the system administrator should deny EXECUTE permission on the extended stored procedure to the public role. In SQL Server 2000, sp_dropextendedproc could be used to drop any extended stored procedure.

So the stated workaround is OK for SQL 2000, but you can't drop the procedure on 2005, only deny Execute permissions.

HTH

0
0
Silver badge
Dead Vulture

"Zero-day vulnerability" has a clear meaning....

Let's use Wikipedia (insert obligatory "is a cult" outcry here, for more effect):

"Zero-day exploits are released before the vendor patch is released to the public. Zero-day exploits generally circulate through the ranks of attackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor [1]."

According to the article, the SQL server _could_ be exploited and apparently _was_ in a laboratory setting. No exploits are known in the wild. So no Zero day.

0
0
Gates Horns

Typo

"stop using OUR browser", surely?

0
0

ok, and?

this info can't hardly be taken as new. so, a (nother) bug in a microsoft product. anyone surprised? :P

0
0
Stop

hang on

1)You have to be authenticated

2)You have to be able to pass it a command

So yeah, its a vulnerabilty for people who open themselves to SQL injection attacks already. Well whoopee. I would assume anyone open to SQL Injection is running its webservers with close to sysadmin rights anyway, and xp_cmdshell enabled.

So the excitement is fairly limited, as they say.

The real lesson from this advisory is if you are fairly tight on security anyway, a simple escalation of rights on this proc should see you right.

Bit of a non story, shouldn't have got past the ms advisories.

0
0

Biggerst problem here is....

How many users dont read articles like this or the MS advisory articles?

A vast majority? Therefore the vast majority will remain vulnerable (unless they use another browser by default).

The whole system is flawed and other browsers also have their problems, but at least Firefox does auto-update and patches are generally fairly quick and big bugs not too common.

Still, i do quite often skip updates when faced with the eternal dilemma of choosing between (A) patch, or (B) surf for porn.

0
0
Flame

Generic banal comment

I thought I'd be the first so everyone else could just shut up.

Blah Blah Blah MS is trash/wankers, Linux/Apple/Opera/Firefox are good and totally infallible. Use Firefox with NoScript not IE (OK, I kinda do endorse that one)

Now that it's been said, everyone else can spend their precious energies attacking something else.

0
0
Dead Vulture

IE7 => Protected mode in Vista = no vuln

Unless I've got that completely wrong - and protected mode is the default setting for the Internet zone security.

FUDtastic.

0
0
Pirate

"Microsoft has a list of recommendations"

LOL. Yeh. We have a list of recommendations for Microsoft, too. But most of them end in "off".

Meanwhile, as far as security goes, the only recommendation anyone needs is "Sod IE, use FF and NoScript". And in this particular case, even NoScript isn't important.

I forget where I found the link, but one of the sites I was browsing in the past day or two had a screenshot of the web control panel for the fiesta exploit kit that includes this new 0-day. Biiig long list of user agents visiting vs. number of times the downloadable was fetched; impressive list of zeros next to everything except IE. (Interestingly enough there were two downloads from clients with Opera UA strings, but those could easily have been deliberate downloads by security researchers wanting to study the infector).

0
0
Linux

Re: Generic banal comment

"Now that it's been said, everyone else can spend their precious energies attacking something else."

Like when a fireman stops trying to put out a fire when he thinks he's used enough water, even if the flames are still spreading.

0
0
Gates Horns

definition of a zero-day exploit ..

"Huh? If the bug was known about in April, how on earth does it qualify as a zero-day sploit?", Frumious Bandersnatch

Because there is as yet, no known patch and exploits have been available since Nov 15, that's a window of at lest seven months, and they didn't tell the rest of us until the inadventent publication of exploit code after the last patch-tuesday failed to address the bug.

http://www.theregister.co.uk/2008/12/11/ie7_exploit_leak/

0
0
Linux

a simple question ..

OK, a bug in the sp_replwritetovarbin stored procedure can lead to someone, over the web, compromising a database by entering code instead of data into a search box. The code being injected through the use of 'uninitialized variables'.

This is possible because of the way processes interact on the Operating System. My question is a simple one: Is it possible for the worlds chief software architects to design a system that doesn't fallover because someone forgot to test for some un-initialised variables ?

0
0
Thumb Down

@Thom Brown

Actually I was thinking more like when a fireman orders everyone out of the building because it's a lost cause, there's no neighboring properties, the building is abandoned anyway, and it's been the site of multiple previous arson fires.

0
0
This topic is closed for new posts.

Forums