The flaw has resulted in publicly available attack code, Bill Sisk, Microsoft's security response communications manager, wrote Monday on the Security Response Center blog. However, the software giant is not aware of any in-the-wild exploits.
Affected systems are comprised of SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server Desktop Engine, and Windows Internal Database, according to the advisory.
Systems running SQL Server 7.0 Service Pack (SP) 4, SQL Server 2005 SP3 and SQL Server 2008 are not vulnerable, Sisk said.
Users impacted by the vulnerability, which requires attackers to authenticate themselves, are encouraged to apply the workarounds listed in the advisory. The company was notified of the flaw in April by a security researcher and has since been working on resolving the issue, a Microsoft spokesman told SCMagazineUS.com on Tuesday.
The bug could prove devastating, especially in light of the recent Internet Explorer vulnerability, which required an emergency fix, said Eric Schultze, CTO of patch management provider Shavlik Technologies, in an email. That flaw was being exploited through legitimate websites that had been compromised through SQL injection.
"...The recent zero-day Internet Explorer bug has highlighted the large number of websites vulnerable to SQL injection, which are now vulnerable to more serious attacks using this zero-day SQL flaw," he said. "In other words, what was bad has now become worse."
Microsoft is next scheduled to release a security update on Jan. 13.