"The best way to protect yourself against the IE attack is to stop using the browser until it's been patched."

Surely the words: .."until it's been patched." are redundant?

Huh? If the bug was known about in April, how on earth does it qualify as a zero-day sploit?

So, "Microsoft was alerted to the bug in April, according to SEC Consult." yet it's being reported as zero-day.

According to that logic, 0 == 241±15

Damn; all my logic and boolean typecasting are fubar'd

As stated by Microsoft at http://msdn.microsoft.com/en-us/library/ms189506(SQL.90).aspx

In SQL Server 2005, sp_dropextendedproc does not drop system extended stored procedures. Instead, the system administrator should deny EXECUTE permission on the extended stored procedure to the public role. In SQL Server 2000, sp_dropextendedproc could be used to drop any extended stored procedure.

So the stated workaround is OK for SQL 2000, but you can't drop the procedure on 2005, only deny Execute permissions.

HTH

Let's use Wikipedia (insert obligatory "is a cult" outcry here, for more effect):

"Zero-day exploits are released before the vendor patch is released to the public. Zero-day exploits generally circulate through the ranks of attackers until finally being released on public forums. The term derives from the age of the exploit. A zero-day exploit is usually unknown to the public and to the product vendor [1]."

According to the article, the SQL server _could_ be exploited and apparently _was_ in a laboratory setting. No exploits are known in the wild. So no Zero day.

"stop using OUR browser", surely?

1)You have to be authenticated

2)You have to be able to pass it a command

So yeah, its a vulnerabilty for people who open themselves to SQL injection attacks already. Well whoopee. I would assume anyone open to SQL Injection is running its webservers with close to sysadmin rights anyway, and xp_cmdshell enabled.

So the excitement is fairly limited, as they say.

The real lesson from this advisory is if you are fairly tight on security anyway, a simple escalation of rights on this proc should see you right.

Bit of a non story, shouldn't have got past the ms advisories.

I thought I'd be the first so everyone else could just shut up.

Blah Blah Blah MS is trash/wankers, Linux/Apple/Opera/Firefox are good and totally infallible. Use Firefox with NoScript not IE (OK, I kinda do endorse that one)

Now that it's been said, everyone else can spend their precious energies attacking something else.

Unless I've got that completely wrong - and protected mode is the default setting for the Internet zone security.

FUDtastic.

LOL. Yeh. We have a list of recommendations for Microsoft, too. But most of them end in "off".

Meanwhile, as far as security goes, the only recommendation anyone needs is "Sod IE, use FF and NoScript". And in this particular case, even NoScript isn't important.

I forget where I found the link, but one of the sites I was browsing in the past day or two had a screenshot of the web control panel for the fiesta exploit kit that includes this new 0-day. Biiig long list of user agents visiting vs. number of times the downloadable was fetched; impressive list of zeros next to everything except IE. (Interestingly enough there were two downloads from clients with Opera UA strings, but those could easily have been deliberate downloads by security researchers wanting to study the infector).

"Now that it's been said, everyone else can spend their precious energies attacking something else."

Like when a fireman stops trying to put out a fire when he thinks he's used enough water, even if the flames are still spreading.

"Huh? If the bug was known about in April, how on earth does it qualify as a zero-day sploit?", Frumious Bandersnatch

Because there is as yet, no known patch and exploits have been available since Nov 15, that's a window of at lest seven months, and they didn't tell the rest of us until the inadventent publication of exploit code after the last patch-tuesday failed to address the bug.

http://www.theregister.co.uk/2008/12/11/ie7_exploit_leak/

OK, a bug in the sp_replwritetovarbin stored procedure can lead to someone, over the web, compromising a database by entering code instead of data into a search box. The code being injected through the use of 'uninitialized variables'.

This is possible because of the way processes interact on the Operating System. My question is a simple one: Is it possible for the worlds chief software architects to design a system that doesn't fallover because someone forgot to test for some un-initialised variables ?

Actually I was thinking more like when a fireman orders everyone out of the building because it's a lost cause, there's no neighboring properties, the building is abandoned anyway, and it's been the site of multiple previous arson fires.