14 DAY TRIAL // The latest iteration of SQL Server is safe from a critical vulnerability affecting the Microsoft data platform. In addition to SQL Server 2008, the software giant revealed that SQL Server 7.0 SP4, and SQL Server 2005 SP3 are also not impacted in the least by the security flaw which could allow for remote code execution in the eventuality of a successful exploit. Bill Sisk, Microsoft Security Response Center Communications Manager, pointed out that Proof of Concept code had already been published in the wild, but emphasized that Microsoft had not detected any attack targeting the vulnerability.
“To successfully exploit this vulnerability an attacker must be local, or remote, authenticated user on the system. However, if an attacker has already compromised a web server via SQL injection, they could exploit this vulnerability as an unauthenticated user,” Sisk stated.
Microsoft has not yet provided a security update designed to patch the vulnerability. Still, the company is offering affected customers a workaround designed to bulletproof their data platforms against exploits. The workaround involves denying permissions on the sp_replwritetovarbin extended stored procedure, according to the Redmond company, which has published an advisory on the matter, that you can access via this link.
Among the vulnerable solutions, the company enumerated SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine (MSDE 2000), SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (Wyukon).
“It’s important to note that systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 SP3 and Microsoft SQL Server 2008 are not affected by this issue. Also, because, by default, Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) and SQL Server 2005 Express do not allow remote connections, attackers would have to already have local access to machines running MSDE 2000 and SQL Server 2005 Express to exploit this vulnerability,” Sisk added.
Microsoft has already released an out-of-band security update this month, aiming to plug a security hole in all supported versions of Internet Explorer, including IE8 Beta 2 on Windows Vista SP1 and Windows XP SP3, as well as IE8 Beta on Windows pre-beta.