Microsoft warns of critical bug in SQL Server

[editorawais]

Microsoft Corp,today warned customers that attack code has been released targeting acritical vulnerability in older versions of its widely-used SQL Serverdatabase software, and urged users to apply a temporary workaround.

The bug was first reported to Microsoft last April by an Austriansecurity consulting company, SEC Consult. But the firm apparently grewtired of waiting for Microsoft to decide when or whether it wouldrelease a patch, disclosed the flaw two weeks ago and publishedproof-of-concept exploit code.

According to SEC Consult, Microsoft has had a patch ready for nearly three months, but has declined to release it.

In a security advisory issued late Monday, Microsoft said that systems running SQL Server 2000,SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine(WMSDE) and Windows Internal Database (WYukon) can be exploited, thenhijacked by hackers.

The bug is in the "sp_replwritetovarbin" SQL Server extended stored procedure.

Newer versions of the popular software, which is used by many Web sitesto power their back-end databases, are immune from attack, however.Those versions include SQL Server 7.0 Service Pack 4 (SP4), SQL Server2005 SP3 and SQL Server 2008. That last version, the newest in the line, was released to manufacturing just last August.

As it often does, Microsoft downplayed the threat even as it issued theadvisory. "We are aware that exploit code has been published on theInternet," said Bill Sisk,a company spokesman, in an e-mail Monday. "However, we are not aware ofany attacks attempting to use the reported vulnerability."

Attackers can exploit the bug remotely if they are able to gain accessto the server through a SQL injection attack against a vulnerable Webapplication running on the system, Sisk acknowledged.

Successful SQL injection attacks are hardly rare;hackers have managed to compromise huge numbers of sites, evenprominent commercial domains, using such attacks. Several thousandlegitimate sites, for example, were hacked via SQL injection attacks inthe last few weeks by criminals who then planted rogue code on theirpages and attacked visitors running Internet Explorer (IE). Microsoft plugged the IE hole last Wednesday with the second emergency patch in a two-month span.

Microsoft said that denying permissions to the "'sp_replwritetovarbin"extended stored procedure would protect vulnerable systems, andprovided instructions on how to do that in the advisory.

Siskdidn't commit the company to a fix, or a timeline for one, but theboilerplate phrasing he used -- "Microsoft will continue to investigatethis vulnerability and upon completion of this investigation, will takethe appropriate actions" -- typically leads at some point to a patch.

SEC Consult, however, claimed Microsoft completed a fix in September.

The company, which is headquartered in Vienna, went publicwith the vulnerability on Dec. 9 by publishing information and sampleattack code in an advisory on its site, as well as to several securitymailing lists, including Bugtraq and Full Disclosure.

In its disclosure, SEC Consult said it had been told by Microsoft in aSeptember e-mail that a patch was finished. "The release schedule forthis fix is currently unknown," SEC Consult's advisory read.

The Austrian security firm also included a timeline it said reflectedthe communications between it and Microsoft. According to thattimetable, SEC Consult reported the vulnerability to Microsoft on April17, 2008, and last heard back from Microsoft Sept 29. Four times sincethe -- on Oct. 14, Oct. 29, Nov. 12 and Nov. 28 -- SEC Consult askedMicrosoft for an update on the patch release status, but received noreply.

Microsoft did not immediately respond to questions about SEC Consult's claims, including patch availability and the timeline.

[moonjee06]

good man