MS Issues Critical SQL Server Flaw Warning

silent wire writes "ZDNet is reporting on a pre-patch security advisory from Microsoft warning about an unpatched remote code execution vulnerability affecting its SQL Server line. Exploit code is publicly available so affected users should pay special attention to the workarounds from Microsoft."

So much for time off

[The+Yuckinator]

Happy Holidays! Now go patch the server.

Re:So much for time off

[jugglerjon]

That's exactly what went through my head

Re:So much for time off

[Culture20]

This means their people are working writing/testing the patch too. I wonder how much nicer it might be for the internet backbones to take a holiday off.

Re:So much for time off

[causality]

This means their people are working writing/testing the patch too. I wonder how much nicer it might be for the internet backbones to take a holiday off.

A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

Re:So much for time off

[SpaceLifeForm]

When Microsoft has not come up with a fix for a problem they have been working on since April 2008, why expect a patch soon?

Link

Re:So much for time off

[$RANDOMLUSER]

The above is not flamebait, it's the god's honest truth. The only thing that he forgot to mention is that the people demanding that this patch be put in ASAP are already at home spending "quality time with their families" while the likes of us are patching servers.

Re:So much for time off

And what you fail to realize is that it is the likes of you who's deciding to prioritize money over your family. You could just quit your job and spend Christmas with your family - but NO, you like all the money your job gives you and decide to work instead.

Re:So much for time off

[causality]

The above is not flamebait, it's the god's honest truth.

Yeah, I've noticed the mods are rather trigger-happy lately (merry Christmas to them, too). Sometimes I think we need a "-0 I Dislike What You Said" mod so people can quit using Flamebait/Offtopic for this reason. I can look at the screwed-up priorities and materialism of this culture and I can either feel very bad about it because it's sad or I can joke about it because it's absurd. Having tried both, I choose the latter.

I don't just think Christmas or other holidays that supposedly have a religious/spiritual/otherwise immaterial tradition have become over-commercialized. I think we've effectively elevated making money, maybe going to school, and getting a job so you can have kids who grow up to make money, maybe go to school, and get a job, ad infinitum, into something like the purpose of existence since most people cannot or will not either find their own reason for being here on Earth or accept that there may not be a purpose at all.

An AC below says that you have decided to prioritize money over family. I don't believe it's quite that simple. Most of the time, going against the crowd is just a simple matter of courage, but this is one of the few areas where It's rather difficult to make other choices when almost no one else does. Let's assume (to make a point) that the vast majority of people are giving highest priority to work/money. If you don't, your employer may start to see you as unwilling, lazy, or "not a team player" when you don't want to work as many hours during the holiday season as the other employees. It's also hard to enjoy something like quality time with people who do not value it as much as you do and have decided to go make money instead. Any real change to this system would have to be a change to the culture itself; in the meantime, all you can do is lead by example.

Re:So much for time off

[Wrath0fb0b]

A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

Who said anything about making money? Most of the fine people celebrating at home have a pretty reasonable expectation that they will have power, heat, emergency rooms, police, fire, EMT, ATC, gas stations and their internet pr0n. Just because some baby was born in a manger does not mean we have to shut down all of civilization.

The normal thing to do here is for the business/service to decide on a minimum level of service (in the case of the police/fire/ER, hopefully not too minimal) and pay their staff enough to want to show up. Part of the pay that police, ER doctors and IT professionals receive includes being on-call for the unexpected times when the shit hits the fan. That should be spelled out in your contract, including whatever level of bonus pay you expect for such work.

Re:So much for time off

[hairyfeet]

If you want someone to blame, blame Bernhard Mueller who knew about and told MSFT about the bug in April and waited until NOW to disclose it to the world. He says in the article that MSFT started blowing him off in September, yet he waits until NOW to disclose? The least the ass could have done is waited until after Xmas IMHO. If the damn thing has been sitting there since April without a major attack it could have waited a few more weeks. Or if he really had a giant bug up his butt to disclose he could have done it in the first weeks of November after being blown off by MSFT for a month. Releasing the details NOW just seems kinda shitty to me.

Re:So much for time off

When Microsoft has not come up with a fix for a problem they have been working on since April 2008, why expect a patch soon?

Because now they look bad.

Re:So much for time off

[causality]

A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

Who said anything about making money? Most of the fine people celebrating at home have a pretty reasonable expectation that they will have power, heat, emergency rooms, police, fire, EMT, ATC, gas stations and their internet pr0n. Just because some baby was born in a manger does not mean we have to shut down all of civilization.

The normal thing to do here is for the business/service to decide on a minimum level of service (in the case of the police/fire/ER, hopefully not too minimal) and pay their staff enough to want to show up. Part of the pay that police, ER doctors and IT professionals receive includes being on-call for the unexpected times when the shit hits the fan. That should be spelled out in your contract, including whatever level of bonus pay you expect for such work.

You seem to be choosing the most mission-critical life-or-death jobs like police, firefighters and EMTs and then using their situation to make a generally applicable point. This doesn't work and is a good example of confirmation bias. The vast, vast majority of jobs are not life-or-death and would not constitute "shutting down all of civilization" if those folks had more time off.

In an attempt to simplify what I am trying to convey, I'll emphasize that what I am really commenting on are our priorities. We each have our own lives with people we love and things that we care about. We work and make money in order to support these things. But we act like we have lives in order to work and make money, and for what? Conspicuous consumption? Luxury items? Consumerism? These things are so much more valuable than quality time with people you love that whenever there is a schedule conflict, quality time is sacrificed? Do you believe that joyous, grateful, harmonious, fulfilled lives are built on this premise? I am not talking about how a holiday is handled. I am talking about how the way we handle a holiday is indicative of our values.

It's the sort of thing that you can't really use facts and logic to prove. I can't write an equation that will rigorously demonstrate for you that one value system is superior to another. For this reason, if you disagree with me, then I do not believe that any amount of argument is going to result in agreement. I just wanted you to better understand what you are disagreeing with, as it is something more significant than the rather trivial objection you raise.

Re:So much for time off

[causality]

If you want someone to blame, blame Bernhard Mueller who knew about and told MSFT about the bug in April and waited until NOW to disclose it to the world. He says in the article that MSFT started blowing him off in September, yet he waits until NOW to disclose? The least the ass could have done is waited until after Xmas IMHO. If the damn thing has been sitting there since April without a major attack it could have waited a few more weeks. Or if he really had a giant bug up his butt to disclose he could have done it in the first weeks of November after being blown off by MSFT for a month. Releasing the details NOW just seems kinda shitty to me.

In the long run I think what he did was for the best. Microsoft has talked a good game lately about security and how much they value it, so you'd think they would appreciate information like this and would quickly use it. I mean, think about it. Lots of people who discover vulnerabilities immediately go public with them. I don't think there's anything wrong with that, but it has to be one hell of an inconvenience to the vendor. Here you have someone who was willing to work with the vendor and gave them far more than enough time to use his information and handle this in a much smoother way and they blew him off.

It's a shame that predictable situations that could have been easily handled often have to become big problems before anyone decides to address them, but this is often the case. The worse this one is and the more problems it causes, the more pressure there is on Microsoft to stop ignoring people who want to work with them on security issues. I am no fan of Microsoft and I personally don't like Windows, but there is a bigger picture here. No matter how I feel about them, many millions of people use Microsoft products or depend on servers that run Microsoft software and they stand to experience preventable problems when known security issues are not fixed. The Internet is a shared resource; the more secure these users are, the better the network is for everyone. There's really no excuse for how Microsoft handled this one. I don't personally use their products, but if I did, this would make me reconsider.

Re:So much for time off

[hairyfeet]

Which is why I think that we should all agree on a standard 90 day rule and press the security researchers to enforce it. That way any company that gets a vulnerability reported knows EXACTLY how long they have to get either a patch or a work around out the door, and anyone who releases before the 90 days is up should be looked down upon for making the web more dangerous for us all. Because as it is now MSFT and any other company can just sit on their collective asses and when the vulnerability finally gets disclosed claim they "didn't have enough time" and then harp upon the guy who found it for being "irresponsible" for not sitting on it. With a standard 90 days there isn't any confusion or doubt as to when the news is being released.

You got told of a new vulnerability? You have 90 days from today, no more, no less. And if a company can't get off their collectives asses and put out a patch or at least a work around then they suck and deserve whatever they get. And if they screamed "irresponsible" then everyone would simply say "everyone else gets theirs done in the standard 90 days, why the hell can't you?" instead of the worthless blame game that goes on now.

Re:So much for time off

[causality]

Which is why I think that we should all agree on a standard 90 day rule and press the security researchers to enforce it. That way any company that gets a vulnerability reported knows EXACTLY how long they have to get either a patch or a work around out the door, and anyone who releases before the 90 days is up should be looked down upon for making the web more dangerous for us all. Because as it is now MSFT and any other company can just sit on their collective asses and when the vulnerability finally gets disclosed claim they "didn't have enough time" and then harp upon the guy who found it for being "irresponsible" for not sitting on it. With a standard 90 days there isn't any confusion or doubt as to when the news is being released.

You got told of a new vulnerability? You have 90 days from today, no more, no less. And if a company can't get off their collectives asses and put out a patch or at least a work around then they suck and deserve whatever they get. And if they screamed "irresponsible" then everyone would simply say "everyone else gets theirs done in the standard 90 days, why the hell can't you?" instead of the worthless blame game that goes on now.

Ninety days sounds like an excessively long time to me, considering that the (largely unpaid volunteers of the) open-source community typically patch high-profile remotely-exploitable vulnerabilities in a matter of hours. In my opinion, 30 days would be quite generous. This is especially true when you consider that it's always possible that the black hats have also independently discovered $VULNERABILITY and are quietly exploiting what almost no one else even knows about.

If you are dealing with an entity that wants to play blame games, the only part you can change is what or whom they blame. So right now they can blame the discloser for being "irresponsible" (generally defined as "caring more about security than the vendor does"). Unfortunately under your system, they would simply claim that the disclosure is not yet 90 days old, or maybe they'll pull a Bill Clinton and dispute the definition of the word "is". They'll say almost anything that lets them save face, secure in the knowledge that the average user has neither the technical knowledge nor the critical thinking ability nor the willingness to call them on it. When you're dealing with a fundamentally dishonest entity, it is easy to force them to become more ingenuitive when they lie and misrepresent while it is nearly impossible to force them to become honest and open. The only real solution is to refuse to deal with fundamentally dishonest entities.

I think lots of other people have noticed this and have decided to say "fuck 'em", which is why so many who discover vulnerabilities immediately go public with them. Microsoft is either crazy or stupid if they don't think that other security researchers are looking at how they blew off Bernhard Mueller and deciding that there's no point in trying to work with them. They can blame everyone and everything else as much as they want to but in many ways the vendors are their own worst enemies.

Re:So much for time off

Yeah, I've noticed the mods are rather trigger-happy lately (merry Christmas to them, too).

It's because Meta Moderation has been turned into a broken Digg clone. Check it out and you'll see what I mean.

Re:So much for time off

[Wrath0fb0b]

You seem to be choosing the most mission-critical life-or-death jobs like police, firefighters and EMTs and then using their situation to make a generally applicable point. This doesn't work and is a good example of confirmation bias. The vast, vast majority of jobs are not life-or-death and would not constitute "shutting down all of civilization" if those folks had more time off.

But that's exactly the point -- society has a general mechanism for deciding on what should be open and closed according to the priorities of the populace. We decide some things need to be open, while others need not.

I'll emphasize that what I am really commenting on are our priorities. [snip] [Consumer goods] are so much more valuable than quality time with people you love that whenever there is a schedule conflict, quality time is sacrificed? Do you believe that joyous, grateful, harmonious, fulfilled lives are built on this premise?

I believe very strongly in letting each individual determine her priorities according to whatever criteria best suit her. A corollary is that each individual should negotiate her own employment contract that best reflects her particular preferences.

It's the sort of thing that you can't really use facts and logic to prove. I can't write an equation that will rigorously demonstrate for you that one value system is superior to another. For this reason, if you disagree with me, then I do not believe that any amount of argument is going to result in agreement. I just wanted you to better understand what you are disagreeing with, as it is something more significant than the rather trivial objection you raise.

It's not a matter of computing whether one value system is better than another (that is, as you claim impossible). Rather, what I claim to do is compute, given the normative rankings that individuals do have, whether or not a particular service is worth keeping open or not. For instance, suppose the workers enjoy their Christmas so much that they demand 10x wages in order to come to work Dec 25th. Management can then compute whether, for that wage (and other costs), it is favorable to stay open.

What I am disagreeing with, essentially, is the sort of "objective" normative system where we do not have absolute deference to individuals' ranking of their priorities. I'm actually inclined to say that the best thing for an individual is defined by his normative preferences completely irrespective of any objective criteria that you might come up with. A man is the only person that can determine for himself what will make him happy/joyful/meaningful.

Re:Micro-who?

Mirco$shaft does it again, hard and dry.

When it's true, predictable (the SQL server vulnerability, not the comment), negative, and about Microsoft, it's somehow "Flamebait". The M$ users must have a convoluted psychology to accommodate the "true" part of that description.

Exactly what is vulnerable?

It is important to note that this isn't exploitable unless all of the following is true:

1. The database server is not patched (and the patches are not new).
2. Someone is able to connect directly to the database server.
3. That someone authenticates using a privileged user.

Honestly, if all three are true then the vulnerability isn't an unchecked parameter in a stored procedure and whatever user might as well "attack" using one of the built-in mechanisms to execute programs.

There is the argument that this can be exploited via SQL injection, but again, that means that the application is already vulnerable and using a privileged user context.

This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

Re:Exactly what is vulnerable?

Unfortunately, in my experience, most DBAs are what you describe. They took an online course that taught them 'databases' and got a certificate and then a job using them.

Re:Exactly what is vulnerable?

[Techmeology]

This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

You mean the kind of person who'd use Microsoft software in a security critical situation?

Re:Exactly what is vulnerable?

Yah like on UK's Submarines, Blue Screen of death Sinks marines
Top admiral now believed to have been High on opium in the decision, Story a 2300 UTC

Re:Exactly what is vulnerable?

[Major+Blud]

Funny. Being a DBA, I always say the same thing about developers....

But in all honestly, you're partially correct in that good DBA's are hard to come by. In the 10+ years I've been working in the field I can immediately think of three examples of DBA's that fit your description:

1) A DB2 DBA working for a large state government agency who couldn't write a SELECT statement.
2) A lady claiming to be an "MS Access DBA"
3) A guy who designed an OLTP database used for tracking help desk tickets that contained no normalization whatsoever

I think part of the reason is that almost nobody is actually pursuing a role as a DBA. They actually planned on being developers or sysadmins, and sort-of accidently ended up in the DBA role. I think being a DBA requires a person who is knowledgeable with coding, security, administration, and hardware; it takes a different king of training and experience than a developer or a sysadmin is going to be exposed to.

Re:Exactly what is vulnerable?

It is important to note that this isn't exploitable unless all of the following is true:

You are flat out wrong, on all three points, along with the idiots who modded you insightful. RTFA.

1. The database server is not patched (and the patches are not new).

There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process."

Now, some versions of sql server are not affected at all by this bug, which is different from a patch being available.

2. Someone is able to connect directly to the database server.

Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.

3. That someone authenticates using a privileged user.

No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.

This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

You know, I think it's a good idea when the DBAs can actually read and understand what they are reading.

Re:Exactly what is vulnerable?

[causality]

This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

You mean the kind of person who'd use Microsoft software in a security critical situation?

This is modded "Flamebait" but really this is just the "use the right tool for the job" idea. I know that if I were dealing with a medium or large organization and it were up to me, I would consider using Microsoft software for the end-user's desktop machines. It would be the most familiar software for the users, it's reasonably easy for them to use, and the network on which it is deployed can be locked down (which would, of course, include making sure that no Windows machine has a public IP address).

I definitely would not consider using any Microsoft product for the servers, especially if they are accessible on the public Internet. Microsoft's documented security history is one reason. My sincere personal belief that no matter what they say, Microsoft doesn't give a damn about security and they won't start caring about it so long as their products keep selling, which has always been the case, is another. Another reason is that if there is a vulnerability in open-source software, I am not completely dependent on the vendor to fix it. Also, a database may be a bad example of this, but with most open-source programs you have a variety of different ones to choose from and you could replace your current solution with another with minimal hassle. So, if one server has a critical security problem and I cannot find a patch, fix it myself, or find a workaround, I can easily replace it with something else. Compare that to Microsoft's proprietary file formats, embrace-and-extend tactics, and other deliberate incompatibilities designed to create vendorlock and then tell me how easy it would be to replace something like a database server (even if it would have zero effect in this case, do you really want to support this kind of business practice or do you prefer to deny that this is what you are doing?). The ease of remote administration of *nix would be another reason why I wouldn't use Microsoft for a server. The fact that, in general, *nix solutions simply have better uptimes and are easier for a skilled sysadmin to maintain than Windows solutions is yet another reason. Then there are extra security options available for Linux that are not available for Windows or only partially available for Windows, such as compiling from source with SSP (good luck with that on Windows), SELinux, using PaX and grsecurity to prevent stack-smashing attacks or to use RBAC, and lots of other nice options that are desirable in a secure server. License costs would be another, more distant reason, although I say that with the awareness that software licenses are usually a small part of the overall costs.

Anyway, that's how I feel about it and I have reasons for why I feel that way. I really believe that Microsoft is one of the worst available solutions for this type of server, that superior solutions with more functionality and better security can be had even for free. Maybe using Microsoft for this doesn't qualify as "a complete and total moron of the highest degree" but it shows a pro-Microsoft bias (as in "that's all we know!") in the least and might indicate poor decision-making. Ever notice that most *nix admins can handle Windows but most Windows admins do not know their way around a *nix system? It's another sign that this is not a culture of carefully considering all available options, as in show me an administrator who is highly skilled with both *nix and Windows who still prefers Windows, and I'll call that a legitimate preference (and a member of a small minority). You might not feel that way and have reasons why you disagree. Either way, it's not flamebait to say so (mods, I'm sorry, but as a group you're rather bitchy and trigger-happy lately -- apologies to the ones who don't knee-jerk).

If anything, the parent post shou

Re:Exactly what is vulnerable?

[Shados]

There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:

There is, sortoff: the latest service packs, except for SQL Server 2000 (for which its a genuine problem, if I understand well). The catch is that SQL Server without service pack are fully supported, so Microsoft must provide patches so you can fix it without needing the service packs for the other editions. Still, the line between a patch and a service pack is thin...

Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.

Ironically, I've actually never worked anywhere where extended SPs were allowed by the DBA unless careful consideration was made, and only if the database was used on the intranet only... extended SPs can do pretty much anything if not properly controlled, so you have to be fairly careful....

No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.

Which still means you need -A- user that can connect at all. I agree that isn't exactly a "priviledged user", but it still needs a user that can login. Not "any user" can do that.

Re:Exactly what is vulnerable?

[Shados]

I think the issue is unrealistic expectations. 10 years ago, being a DBA in the sense many companies want it (an SQL guru who can do whatever with the database and lock it down and administrate it) was possible.

Today, enterprise grade RDBMS are very complex, SQL is more than just a query language, and databases tend to support more (.NET, java, python, etc). Administrating them is just as tough as administrating servers. It can be a full time job for a large company. So you end up with 2 different "jobs". A database developer (often also a business intelligence specialist, though that can its own job too), and an actual database administrator. Asking someone to be a specialist in all these positions is setting yourself for failure. It is possible, and it does exist, I know a few...but its still not realistic of the average IT person. By making those 2 (or 3) specialities into distinct positions in the work environment, it becomes a lot easier to find someone who can fill them up, AND people can do their job to their full potential.

Its like asking a programmer to also be a designer. Some can do it. All 3 of them.

Re:Exactly what is vulnerable?

[Shados]

Ever notice that most *nix admins can handle Windows but most Windows admins do not know their way around a *nix system? It's another sign that this is not a culture of carefully considering all available options, as in show me an administrator who is highly skilled with both *nix and Windows who still prefers Windows, and I'll call that a legitimate preference (and a member of a small minority).

I'm sorry here, but i have to correct you. I hear that quote a lot, how a *nix admin can handle windows but not the other way around. That always leave out one little detail. Someone with no experience as a sysadmin at all can handle Windows. You just need to know the basics. The UI is basically self explainatory. Happened to me back in the days... we stuck me in front of a Windows Server and said "you handle it". Within 2 hours I had things under control just looking around (mind you, it was a non-critical system, I'm just trying to make a point here). I have been a *nix sysadmin later on in my career, and it is not hard, but you can't really just click around and guess. You'll at the very least need to google up some command names. Windows Server 2008 introduced a "Core" mode, where administration is done by the command line... I'll tell you, it was flipping funny watching the Unix sysadmins try to handle that after spouting the above quote so many time...(there are some GUI tools, its not fully GUI-less like unix can be, but its close enough to cause confusion if someone gets too arrogant... )

Re:Exactly what is vulnerable?

[causality]

I'm sorry here, but i have to correct you. I hear that quote a lot, how a *nix admin can handle windows but not the other way around. That always leave out one little detail. Someone with no experience as a sysadmin at all can handle Windows. You just need to know the basics. The UI is basically self explainatory.

That's fine and good, right up until there is an intrusion attempt or complex problem for which the UI doesn't have a prefabricated solution or a need to understand security in terms more advanced than "guess we need to patch it." A good sysadmin (no matter what the OS) should consider those to be eventualities.

I have been a *nix sysadmin later on in my career, and it is not hard, but you can't really just click around and guess. You'll at the very least need to google up some command names.

That might suffice for a personal project but if it were my decision, I would not hire someone who discovers he "can't really just click around and guess" to fill a sysadmin position. When I said that most *nix admins can handle Windows but most Windows admins do not know their way around a *nix system, I was referring to skilled Windows administrators versus skilled *nix administrators. My point wasn't that one or the other requires more skill to "wing it" but that Windows is generally a monoculture, and as such those who seriously use it tend not to have a lot of experience with alternatives (and thus, do not have a valid/informed preference) whereas this is far less true for *nix administrators. Therefore, your scenario of a person with little to no knowledge of the system who suddenly finds himself responsible for managing the system and your comparison of whether that's easier for Windows or *nix doesn't really address what I was saying.

Windows Server 2008 introduced a "Core" mode, where administration is done by the command line... I'll tell you, it was flipping funny watching the Unix sysadmins try to handle that after spouting the above quote so many time.

Your description alone made me laugh. That must have been quite amusing to watch.

Re:Exactly what is vulnerable?

[Shados]

In that case, with the added clarification, I have to say, there's no way a Unix sysadmin can just come up and admin a Windows Server. It seems like they can because they can "click around", but doing it "right", it requires experience and/or training, in which case, both will be lost in the other's environment (again though: since the basic tasks will require absolutely no training in Windows, it may give the impression that the Unix sysadmin "can admin a Windows box". They cannot, there's just less to learn).

Thats why your original statement lead me to beleive you meant just being able to wing it... it isn't exactly an apple vs apple comparison. On one side you need to know what you're doing for the basics, on the other you can handle the basics by improvisation. Less learning curve.

With colleges now more and more pushing *Nix-only technologies and totally ignoring anything MS for various reasons, it is becoming the *nix users that are in the monoculture when it comes to servers (im talking about younger people...of course this wasn't true if one's training was 6-8 years ago or more). It is not uncommon for people in IT to have -never- seen a Windows server, ever, and what it can do. Much rarer with Unix, if the college's forcing you to use it. Not many Powershell equivalents in Unix, for one :)

Re:Exactly what is vulnerable?

[bensode]

Semi Off-Topic but exactly where does one start off learning to be a good DBA? I've been a "jack of all trades" IT professional for Windows and Linux for 15 years and looking to finally specialize. I see database administration as the direction I want to go but feel as though I only know enough to be "dangerous". And if you say MS-DBA school I'm going to scream ...

Re:Exactly what is vulnerable?

[causality]

In that case, with the added clarification, I have to say, there's no way a Unix sysadmin can just come up and admin a Windows Server. It seems like they can because they can "click around", but doing it "right", it requires experience and/or training, in which case, both will be lost in the other's environment (again though: since the basic tasks will require absolutely no training in Windows, it may give the impression that the Unix sysadmin "can admin a Windows box". They cannot, there's just less to learn).

I think the one advantage the *nix admins have in this case is that in a *nix OS, you generally cannot get away with no understanding of what you are working with (sure there's Ubuntu and its good GUI tools, but I'm not talking so much about a desktop environment). Just an example, you really cannot use iptables to configure the Linux firewall at all unless you have a good working knowledge of TCP/IP. If you have a good working knowledge of TCP/IP, you should be able to handle the Windows firewall (either built-in or any third-party firewall) even if you've never seen it before. Windows admins who come to *nix have no such advantage.

There are philosophical differences between Windows and *nix that relate to this. This is very general and I am aware of that, but I would say that *nix assumes not only that you know what you're doing but that you want to know, while Windows assumes that you need to be protected from the inconvenience of actually having to know what you're doing. You don't put it the way I did, of course, but you reflect this observation in your comments about who would fare better if they had to "wing it". It's like the saying "Unix doesn't try to stop you from doing something stupid because that would also stop you from doing something clever". Well, the Windows equivalent of that saying would be "Windows wants to stop you from doing something stupid even at the cost of stopping you from doing something clever". Also with many things *nix-related, I came to understand why things were done that way, to the point that if it did not exist and I were creating it, I would have done it that way myself because it's a sound design. Contrast this with many aspects of Windows where the reason why something is done that way is likely to be answered by the marketing department or some focus group. That may sound like a small gripe but it creates a real disconnect when you attempt to understand the system as a whole instead of memorizing a set of commands/procedures. For someone with a *nix background coming to Windows, this just means more looking around before desired options are found. For a Windows admin coming to *nix, this might mean being faced for the first time with something that should be understood as an integrated, holistic system instead of the sum of its parts or (worse) a black box.

The promise of Microsoft's marketing, that these things can be made so "easy to use" that you can correctly use and administer them without understanding them is unrealistic. If TCP/IP, or database servers, or Web servers, or whatever are needlessly complex, then find a simpler way to implement them. However, if the complexity is needful (that is, irreducible) and is an inherent part of what you are doing, trying to replace it with dumbed-down systems with the intent that less-knowledgable people will use it is just asking for the sort of security/reliability mess that much of modern computing has become.

Re:Exactly what is vulnerable?

[Shados]

I totally agree with you on that. However, the things that are platform independent are a fraction of what managing a server is all about... IIS has concepts that Apache doesn't have, Active Directory has stuff that open LDAP implementations do not. Exchange is a beast on its own. The "hard" part of administrating these things are knowing the details of these tools. I fully agree with you that someone who can use IPTables can circle around anything Windows can throw at them, but let say, the .NET security configurations? Some concepts SOMEWHAT relates to the "sandboxes" and security declarations you'll find in the high security Linux distro, but its still not going to help you much.

So ok...you're totally right for the core administration. For anything that Unix and Windows share directly or indirectly, the Unix admin will run circle around it. Once you get out of that though...not so much. (Same holds true for, let say, a C programmer vs a Java dev)

Re:Exactly what is vulnerable?

[shutdown+-p+now]

There is no patch!

"Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue."

Re:Exactly what is vulnerable?

[WuphonsReach]

Reading, playing with the tech, making things go boom... and then fixing them.

The old Microsoft Certified DBA exams weren't that difficult, and there was some good things in there that were not just Microsoft-specific. (I finished the MCDBA cert back in 1999/2000, I've never recertified since then.) But I've been mucking with databases since the DBase III / CA-Clipper days and I can generally get around in 3 or 4 different database packages.

Beyond that, start playing with at least 2 or 3 different database products and learn their quirks. It's that or pay someone. In-depth knowledge of database concepts (normalization, tables, indexes, views) and SQL language (joins, unions, subqueries) pays off in spades. At least the major vendors now have freebie versions that everyone can play with.

Unfortunately, I have zero desire to put up with corporate behavior, so I'm staying in a small company where I can be the DBA, the sysadmin, the lead programmer. So my current focus is PostgreSQL and figuring out how fast we can move away from MS SQL Server. (The answer there is "soon".)

Re:Exactly what is vulnerable?

[WuphonsReach]

I've used both Linux and Windows for servers for a decade.

I think Windows 2008 "core" mode is going to be too little too late. The more time I spend working with Linux servers, the power of the command line, the "everything is a file" mindset of Unix/Linux, and the sheer openness of the underlying tech - the less certain I am that Windows makes a good server product.

At least, if you don't want to spend lots and lots of money on add-on packages.

Some of the high points that have made my job easier in the past year:
- bash scripting
- LVM (flexibility, when our expected disk layout changed)
- having SecureCRT keep log files of all my sessions (so I can go back and figure out what I did 3 months ago in a certain situation)
- using FSVS and SVN to keep track of all changes on the server
- plain text configuration files that can be diff'd, grepped, and version controlled
- SELinux, the powerful iptables firewall
- a good security track record

Even better, the things that I learn on Linux server admin transfers mostly intact over to Solaris, Unix and BSD. And even Mac OS X. Whereas the things I learn on Windows only apply to Windows.

(Sorry for being long-winded, but I've spent a lot of time at the Linux command line in the past month. And things like LVM have saved my bacon a few times in the past year, allowing us to reconfigure servers on the fly when we forecast incorrectly.)

Use linux?

[RiotingPacifist]

dammit i was hopping that would be the workaround for once.

in fairness, it seams to only affect you if you dont properly parse the sql input from a web application, so if the attacker is using this exploit they are already 'in'.

Re:Use linux?

I (the Linux Admin) just told the Windows Admin about this. He started bitching about more work on his plate. I suggested he stop using Microsoft products.

He did not think it was funny.

Re:Use linux?

[JamesTRexx]

He did not think it was funny.

Often people think it's not funny, but they don't think seriously enough about things before using Microsoft (or other for that matter) software.
*still wondering how long it'll be before the unprotected, single MS SQL database used for everything in 16+ companies crashes because of a Windows exploit*

localhost

[jaavaaguru]

Or just don't make the database servers available on the Internet?

Re:localhost

[pembo13]

Regardless of OS, this should be a general rule of thumb.

Re:localhost

Or just don't make the database servers available on the Internet?

In fact, some people do that deliberately. There are outsourced cloud database providers...

Re:localhost

[cbiltcliffe]

Then any customer of said providers should be given VPN credentials to access the network the database is on. That way the connection traffic is all encrypted, also.

Unpatched my ass

[Tridus]

Slashdot does it again with quality reporting. From the very first paragraph of the MS advisory:

"Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue."

So it's "unpatched", unless you installed the service pack. First rate reporting here.

Re:Unpatched my ass

SQL 2005 SP3 has only been out for 10 days and not a lot of people are running 2008 yet, so really it's only going to be 2000 that's most likely service-packed across the board.

Re:Unpatched my ass

[Nicolay77]

Utter bullshit.

SQL Server 2005 Service Pack 3:
Date Published: 10/27/2008

That's more like two months.

Re:Unpatched my ass

[Nicolay77]

Well, it seems it was only CTP and not production ready.

I stand corrected.

Linux

[IsaacD]

Linux is entirely impenetrable and never requires updates of any sort. Any database application running on Linux is completely, without question, capable of becoming self aware and defending itself from assassins known as Microsoft products. If you have ever even seen a Microsoft "product" in use then you are a complete and total buffoon, you are incapable of breathing on your own, and you do not deserve the oxygen you consume. A wet paper bag is more secure than all of Microsoft's products. Linux is built by titanium-skinned gods that were trained by magical ninja fairies. Computers running a Linux distribution do not require electricity; instead, they run on posts at Slashdot and the love felt by a community that feels that no money should ever be traded for labor or information.

Re:Linux

[Wamoc]

Funny, I thought that Microsoft products were as secure as a paper mache fortress. Although with another vulnerability I guess the strength needs to be dropped some.

Re:Linux

.... no money should ever be traded for labor or information.

I don't think so, Tim.

Re:Linux

[UncleTogie]

Linux is built by titanium-skinned gods that were trained by magical ninja fairies.

I, for one, welcome our metal-god-educated-mystical-assassin-fairy overlords.

Re:Linux

[bensode]

I bet Chuck Norris would be scared ...

explaining the joke

I suggested he stop using Microsoft products.

He did not think it was funny.

There's an old joke: "Doc, it hurts when I do this." (wiggles arm) Doc replies, "Well, don't do that."

It's a joke because the patient has a reasonable expectation that he should be able to wiggle his arm, so the doc's advice doesn't really solve the problem.

If we changed the joke to, "Doc, it hurts when I hit myself in the head with a hammer and then jam a sodium hydroxide-coated piece of barbed wire up my urethra," and the doc replied, "don't do that," then it ceases to be a joke at all. The doc's line is reasonable and expected, rather than a punchline.

No wonder your admin didn't think it's funny. That's because there was no joke.

Next time, tell him, "Keep buying Microsoft products." Then he'll think it's funny.

Unpatched

[Major+Blud]

SQL 2005 Service Pack 3 hasn't been RTM'd yet. All versions of SQL 2000 seem to be affected. This probably means that the most popular versions are affected.

Re:Unpatched

[pls2917]

SP3 was released on 15-Dec:

http://www.microsoft.com/downloads/details.aspx?FamilyID=ae7387c3-348c-4faa-8ae5-949fdfbe59c4&displaylang=en

Re:Unpatched

[poppycock]

That is incorrect: http://blogs.technet.com/dataplatforminsider/archive/2008/12/10/sql-server-2005-sp3-now-available-for-download.aspx.

Summary Wrong

The summary says:

Exploit code is publicly available

The article says:

SEC Consult will not release code execution exploits for this vulnerability to the public.

Either the article has changed since the summary was posted, or Timothy needs some remedial reading courses.

Way to drag your feet, Microsoft

Zero-day? Hardly. Microsoft has known about this vulnerability for quite a while. From the Sec-Consult group who first put out its advisory two weeks ago--the same time that the IE7 vulnerability came out:

20081209_mssql-sp_replwritetovarbin_memwrite.txt

Patch:
------

According to an email received by Microsoft in September, a fix for this vulnerability has been completed.
The release schedule for this fix is currently unknown.

Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 12-09-2008
Update (added SQL Server 2005, thanks Moreno Zilli): 12-10-2008

Why is Microsoft dragging their feet in releasing the patch?

Takes too much energy

dammit i was hopping that would be the workaround for once.

I was hopping for a good long while too, but then my legs got really tired.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I've got a solution

[Locke2005]

Patch available here.

Re:I've got a solution

[Shados]

All that patch does is disable 95% of the features...you can do that without downloading anything.

Most recent SPs are not effected

So if you've been keeping your software up-to-date then no problem.

SP3 went live on Dec-15

http://news.softpedia.com/news/Microsoft-SQL-Server-2005-Service-Pack-3-SP3-100153.shtml

The third service pack for SQL Server 2005 went live on December 15, 2008. Microsoft indicated that the release was designed to upgrade all service levels of SQL Server 2005 to Service Pack 3, as the services packed for the 2005 version of the database solution were cumulative. Users of the following SKUs of SQL Server 2005: Enterprise; Enterprise Evaluation; Developer; Standard; and Workgroup, are now able to make the jump to SP3. The software company emphasized that the focus with SP3 was to deliver all the hotfixes for SQL Server 2005 in a single package, but also to address various issues across the solution, in accordance with the user input.

"Microsoft released SQL Server 2005 Service Pack 3 (SP3). SQL 2005 version should now be 9.00.4035. Microsoft SQL Server 2005 Service Pack 3 (SP3) contains hotfixes that were included in cumulative update packages for SQL Server 2005 Service Pack 2 from cumulative update package 1 to cumulative update package 9, and fixes to issues that have been reported through our customer feedback platforms. It also includes supportability enhancements and issues that have been reported through Windows Error Reporting," Christophe Fiessinger, senior technical product manager for Microsoft Office Project Server, explained.

At the same time, Microsoft has taken the SQL Server 2005 Database Engine, Notifications Services, Replication and Reporting Services to the next level. Having released SP3 in 32-bit, 64-bit and IA64 flavors, Microsoft informed that the x86 version of the refresh was capable of upgrading 32-bit instances of SQL Server 2005 running on Windows-on-Windows 64 x86 emulation mode on a x64 system, this in addition to the 32-bit versions of the Windows operating systems. For the 64-bit instance of SQL Server 2005, users will have to turn to the 64-bit variant of SP3, and the same is valid for IA64.

Re:SP3 went live on Dec-15

[Major+Blud]

I stand corrected guys. Looks like I was 9 days too slow with my comments! Being an MCDBA, it seems like I should have been notified when SP3 was released. I new it was just around the corner, but it looks it just came and went.

Re:SP3 went live on Dec-15

[shutdown+-p+now]

A good advice if you're a developer or an administrator in a MS shop is to read MSDN blogs of the teams for those products you're using. They tend to announce all the new stuff (not just new releases, but also SPs and even bugfixes) ahead of everyone else - a couple of times I've seen a post in the blog feed with links to an MS security advisory or a KB article which didn't exist yet (but popped into existence in an hour or so).

Two sites I visit...

[PoconoPCDoctor]

FYI - My dentist's web site has been hijacked by a redirect to some site that tries to install trojans/viruses, and a local government website has been listed by google as an attack site... I called the county office, but with eggnog in the air, not much of a response. Luckily I was using my Mac when I browsed... Not sure if these two examples are linked to this SQL exploit, but it seems suspicious. YES WE DID! (not patch, or use Linux)

Hardly a huge deal

[glock22ownr]

"By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application." Not that I don't think it's still shady ... but... there really isn't a danger here unless you have a user that is already authenticated and can execute stored procedures or are vulnerable to a SQL injection. So you either pissed off the local nerd or you're a complete f*cktard and can't write a proper app... Either way you deserve what's comin!