Microsoft warns of SQL Server vulnerability

Share this article:
Microsoft late Monday issued a security advisory warning of a new vulnerability in SQL Server that could be exploited to execute remote code.

The flaw has resulted in publicly available attack code, Bill Sisk, Microsoft's security response communications manager, wrote Monday on the Security Response Center blog. However, the software giant is not aware of any in-the-wild exploits.

Affected systems are comprised of SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server Desktop Engine, and Windows Internal Database, according to the advisory.

Systems running SQL Server 7.0 Service Pack (SP) 4, SQL Server 2005 SP3 and SQL Server 2008 are not vulnerable, Sisk said.

Users impacted by the vulnerability, which requires attackers to authenticate themselves, are encouraged to apply the workarounds listed in the advisory. The company was notified of the flaw in April by a security researcher and has since been working on resolving the issue, a Microsoft spokesman told on Tuesday.

The bug could prove devastating, especially in light of the recent Internet Explorer vulnerability, which required an emergency fix, said Eric Schultze, CTO of patch management provider Shavlik Technologies, in an email. That flaw was being exploited through legitimate websites that had been compromised through SQL injection.

"...The recent zero-day Internet Explorer bug has highlighted the large number of websites vulnerable to SQL injection, which are now vulnerable to more serious attacks using this zero-day SQL flaw," he said. "In other words, what was bad has now become worse."

Microsoft is next scheduled to release a security update on Jan. 13.

Share this article:

Sign up to our newsletters

More in News

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.

IG scolds NOAA on security deficiencies, recommends fixes

IG scolds NOAA on security deficiencies, recommends fixes

An audit of NOAA by the inspector general found security shortcomings, including the link between information systems and satellite systems.