Microsoft warns of SQL Server zero-day

By Robert Westervelt, News Editor 23 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In its advisory, the software giant warned of an authenticated remote code execution vulnerability in the MS SQL extended stored procedure. The issue causes an invalid parameter check opening a hole for an attack.

"All systems running one of the affected Microsoft SQL Server software where a malicious user is allowed to log on are at risk of exploitation of this vulnerability," Microsoft said. "In addition, Web applications with a SQL Server back-end database are at risk if a SQL injection vulnerability exists."

Microsoft security news: Microsoft issues emergency patch to fix IE flaw: The software giant repaired a dangerous flaw being exploited if a user browses some legitimate websites. Microsoft fixes critical flaws in Office, IE: Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched. Microsoft to embed data classification, strengthen ties with DLP: Microsoft will embed data classification technology into its platform under a deal that ties Active Directory Rights Management Services with RSA's data loss prevention suite.

An attacker can exploit the flaw remotely as an authenticated user on the system, said Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC). However, attackers could exploit the vulnerability as an unauthenticated user if they compromise a Web server via SQL injection, Sisk said.

The critical vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 and WMSDE) and Windows Internal Database (WYukon).

"We are aware that exploit code has been published on the Internet, however, we are not aware of any attacks attempting to use the reported vulnerability," Sisk said on the MSRC blog.

As a workaround, Microsoft is advising customers to deny access to the sp_replwritetovarbin stored procedure. Microsoft said the affected stored procedure will have no impact for the majority of its customers.

SearchSecurity radio:

Bernhard Mueller, a security consultant with SEC Consult, discovered the flaw earlier this month. He issued a T-SQL script to test for the vulnerability. In his advisory, Mueller said he received an email from Microsoft in September explaining that a fix for the vulnerability had been completed. So far, Microsoft has not ruled out an out-of-cycle patch release.

"By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location," Mueller said in his advisory.

Tags: Database Security Management,  Emerging Information Security Threats,  Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary