Microsoft warns of SQL Server vulnerability

Share this article:
Microsoft late Monday issued a security advisory warning of a new vulnerability in SQL Server that could be exploited to execute remote code.

The flaw has resulted in publicly available attack code, Bill Sisk, Microsoft's security response communications manager, wrote Monday on the Security Response Center blog. However, the software giant is not aware of any in-the-wild exploits.

Affected systems are comprised of SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server Desktop Engine, and Windows Internal Database, according to the advisory.

Systems running SQL Server 7.0 Service Pack (SP) 4, SQL Server 2005 SP3 and SQL Server 2008 are not vulnerable, Sisk said.

Users impacted by the vulnerability, which requires attackers to authenticate themselves, are encouraged to apply the workarounds listed in the advisory. The company was notified of the flaw in April by a security researcher and has since been working on resolving the issue, a Microsoft spokesman told SCMagazineUS.com on Tuesday.

The bug could prove devastating, especially in light of the recent Internet Explorer vulnerability, which required an emergency fix, said Eric Schultze, CTO of patch management provider Shavlik Technologies, in an email. That flaw was being exploited through legitimate websites that had been compromised through SQL injection.

"...The recent zero-day Internet Explorer bug has highlighted the large number of websites vulnerable to SQL injection, which are now vulnerable to more serious attacks using this zero-day SQL flaw," he said. "In other words, what was bad has now become worse."

Microsoft is next scheduled to release a security update on Jan. 13.



Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.

Franchises to get assistance on cybersecurity strategy

The National Cyber Security Alliance has teamed up with the International Franchise Association to promote cybersecurity awareness among franchise businesses in the U.S.

Bulgarian national sentenced 30 months for role in ID theft ring

Aleksi Kolarov was a vendor on Shadowcrew.com, an online cybercrime marketplace that sold stolen credit and bank cards and caused millions of dollars in damages.