Microsoft warns of SQL Server zero-day

By Robert Westervelt, News Editor 23 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In its advisory, the software giant warned of an authenticated remote code execution vulnerability in the MS SQL extended stored procedure. The issue causes an invalid parameter check opening a hole for an attack.

"All systems running one of the affected Microsoft SQL Server software where a malicious user is allowed to log on are at risk of exploitation of this vulnerability," Microsoft said. "In addition, Web applications with a SQL Server back-end database are at risk if a SQL injection vulnerability exists."

Microsoft security news: Microsoft issues emergency patch to fix IE flaw: The software giant repaired a dangerous flaw being exploited if a user browses some legitimate websites. Microsoft fixes critical flaws in Office, IE: Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched. Microsoft to embed data classification, strengthen ties with DLP: Microsoft will embed data classification technology into its platform under a deal that ties Active Directory Rights Management Services with RSA's data loss prevention suite.

An attacker can exploit the flaw remotely as an authenticated user on the system, said Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC). However, attackers could exploit the vulnerability as an unauthenticated user if they compromise a Web server via SQL injection, Sisk said.

The critical vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 and WMSDE) and Windows Internal Database (WYukon).

"We are aware that exploit code has been published on the Internet, however, we are not aware of any attacks attempting to use the reported vulnerability," Sisk said on the MSRC blog.

As a workaround, Microsoft is advising customers to deny access to the sp_replwritetovarbin stored procedure. Microsoft said the affected stored procedure will have no impact for the majority of its customers.

SearchSecurity radio:

Bernhard Mueller, a security consultant with SEC Consult, discovered the flaw earlier this month. He issued a T-SQL script to test for the vulnerability. In his advisory, Mueller said he received an email from Microsoft in September explaining that a fix for the vulnerability had been completed. So far, Microsoft has not ruled out an out-of-cycle patch release.

"By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location," Mueller said in his advisory.

Tags: Database Security Management,  Emerging Information Security Threats,  Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Emerging Information Security Threats New attack code targets Microsoft ActiveX zero-day vulnerability Adobe ColdFusion websites being compromised Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary