Microsoft disputes password-stealing SQL Server bug

Share this article:
For more than a year, Microsoft has been sitting on a purported SQL Server vulnerability that could enable a malicious insider to obtain users' passwords, claims database security vendor Sentrigo.

The software giant, however, said that the issue is not a security flaw.

The potential bug, which Sentrigo notified Microsoft about last September, involves SQL Server keeping passwords unencrypted in its database memory, Slavik Markovich, CTO at Sentrigo, told SCMagazineUS.com on Tuesday. The issue affects SQL Server 2000, 2005 and 2008, running on Windows operating systems.  

Markovich said he believes this is a security issue because it enables any individual with administrative privileges to access SQL Server's process memory and see all the usernames and passwords that are stored for anyone who accessed either the server itself or applications that connect to the server.

“It's something that is security 101, something you never do -- share or see other people's passwords,” he said.

Since people often reuse the same passwords for multiple enterprise systems and for their personal lives, a malicious insider could use the stolen SQL Server credentials to access other systems or a user's personal accounts.  

“If someone can see your password, think about all the other systems they could access,” Markovich said.

But Microsoft said that it has “thoroughly investigated” the issue and found that no vulnerability exists, a Microsoft spokesperson told SCMagazineUS.com in an email Tuesday. The software giant has no intention of offering a security update for the issue.

“As mentioned by the security researchers, in the scenario in question, an attacker would need administrative rights on the target system,” Microsoft said. “An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights.”

But Markovich contends that the issue could also be exploited by an outside attacker to escalate the damage of an SQL injection attack. If an attacker launched such an attack and obtained an administrator's password, they could be used to access SQL Server and potentially get the passwords to other systems.

Sentrigo issued a free tool Wednesday to erase stored passwords in SQL Server. Microsoft recommended end-users review its security guidance and guidelines literature.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.