Microsoft warns of SQL Server vulnerability

Share this article:
Microsoft late Monday issued a security advisory warning of a new vulnerability in SQL Server that could be exploited to execute remote code.

The flaw has resulted in publicly available attack code, Bill Sisk, Microsoft's security response communications manager, wrote Monday on the Security Response Center blog. However, the software giant is not aware of any in-the-wild exploits.

Affected systems are comprised of SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server Desktop Engine, and Windows Internal Database, according to the advisory.

Systems running SQL Server 7.0 Service Pack (SP) 4, SQL Server 2005 SP3 and SQL Server 2008 are not vulnerable, Sisk said.

Users impacted by the vulnerability, which requires attackers to authenticate themselves, are encouraged to apply the workarounds listed in the advisory. The company was notified of the flaw in April by a security researcher and has since been working on resolving the issue, a Microsoft spokesman told SCMagazineUS.com on Tuesday.

The bug could prove devastating, especially in light of the recent Internet Explorer vulnerability, which required an emergency fix, said Eric Schultze, CTO of patch management provider Shavlik Technologies, in an email. That flaw was being exploited through legitimate websites that had been compromised through SQL injection.

"...The recent zero-day Internet Explorer bug has highlighted the large number of websites vulnerable to SQL injection, which are now vulnerable to more serious attacks using this zero-day SQL flaw," he said. "In other words, what was bad has now become worse."

Microsoft is next scheduled to release a security update on Jan. 13.



Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.

Report: 75 million records compromised so far in 2014

Report: 75 million records compromised so far in ...

An updated report indicates that since this time last year, breaches have increased by 29.4 percent, with 568 breaches occurring this year.