Microsoft warns of SQL Server vulnerability

Share this article:
Microsoft late Monday issued a security advisory warning of a new vulnerability in SQL Server that could be exploited to execute remote code.

The flaw has resulted in publicly available attack code, Bill Sisk, Microsoft's security response communications manager, wrote Monday on the Security Response Center blog. However, the software giant is not aware of any in-the-wild exploits.

Affected systems are comprised of SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server Desktop Engine, and Windows Internal Database, according to the advisory.

Systems running SQL Server 7.0 Service Pack (SP) 4, SQL Server 2005 SP3 and SQL Server 2008 are not vulnerable, Sisk said.

Users impacted by the vulnerability, which requires attackers to authenticate themselves, are encouraged to apply the workarounds listed in the advisory. The company was notified of the flaw in April by a security researcher and has since been working on resolving the issue, a Microsoft spokesman told on Tuesday.

The bug could prove devastating, especially in light of the recent Internet Explorer vulnerability, which required an emergency fix, said Eric Schultze, CTO of patch management provider Shavlik Technologies, in an email. That flaw was being exploited through legitimate websites that had been compromised through SQL injection.

"...The recent zero-day Internet Explorer bug has highlighted the large number of websites vulnerable to SQL injection, which are now vulnerable to more serious attacks using this zero-day SQL flaw," he said. "In other words, what was bad has now become worse."

Microsoft is next scheduled to release a security update on Jan. 13.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.