[ insider_reports_insider ]
An SQL Server Zero-Day Exploit In Time For Christmas
SecurityProNews
Staff Writer
2008-12-23
 Insider Reports RSS Feed
‘Tis the season for zero-day exploits. Microsoft issued a new advisory last night about a zero-day exploit affecting SQL servers. Tell your IT guy Merry Christmas once you have him on the phone.
 | | An SQL Server Zero-Day Exploit In Time For Christmas |  |
The advisory was issued after the vulnerability was made public. Microsoft says it is investigating and acknowledges the flaw could allow for remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).
Good news for those with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008. You're covered already.
Christmas Week isn't the best time for this news, and is caps a bad month for Microsoft security. After a record-breaking Patch Tuesday, this is the third zero-day exploit since. Someone in Redmond appears to be asleep at the switch; Internet Storm Center's Patrick Nolan reports Microsoft supposedly patched this vulnerability when it was reported back in April.
"…but there's no patch release date mentioned at this time. Exploit code is available," writes Nolan.
Luckily, a hacker would need mad skills to capitalize on the vulnerability, at least according to Microsoft's Bill Sisk. "To successfully exploit this vulnerability, an attacker must be a local, or remote, authenticated user on the system. However, if an attacker has already compromised a Web server via SQL injection, they could exploit this vulnerability as an unauthenticated user."
Worms and Exploits doesn't make it sound all that difficult though:
"This could be exploited by sending a payload with specially crafted values which could result in a memory corruption, and then this could be exploited to execute arbitrary code with the privileges of the current user. But authentication is required to exploit this vulnerability, it is also exploitable via SQL injection, by using the authentication credentials of the vulnerable web application. A proof-of-concept is already been publicly available at places for this vulnerability."
The author offers some workarounds, though.
Microsoft offers this reassurance as well: "…due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack."
About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
