MS Issues Critical SQL Server Flaw Warning

silent wire writes "ZDNet is reporting on a pre-patch security advisory from Microsoft warning about an unpatched remote code execution vulnerability affecting its SQL Server line. Exploit code is publicly available so affected users should pay special attention to the workarounds from Microsoft."

So much for time off

[The+Yuckinator]

Happy Holidays! Now go patch the server.

Re:So much for time off

[jugglerjon]

That's exactly what went through my head

Re:So much for time off

[causality]

This means their people are working writing/testing the patch too. I wonder how much nicer it might be for the internet backbones to take a holiday off.

A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

Re:So much for time off

[$RANDOMLUSER]

The above is not flamebait, it's the god's honest truth. The only thing that he forgot to mention is that the people demanding that this patch be put in ASAP are already at home spending "quality time with their families" while the likes of us are patching servers.

Re:So much for time off

[causality]

The above is not flamebait, it's the god's honest truth.

Yeah, I've noticed the mods are rather trigger-happy lately (merry Christmas to them, too). Sometimes I think we need a "-0 I Dislike What You Said" mod so people can quit using Flamebait/Offtopic for this reason. I can look at the screwed-up priorities and materialism of this culture and I can either feel very bad about it because it's sad or I can joke about it because it's absurd. Having tried both, I choose the latter.

I don't just think Christmas or other holidays that supposedly have a religious/spiritual/otherwise immaterial tradition have become over-commercialized. I think we've effectively elevated making money, maybe going to school, and getting a job so you can have kids who grow up to make money, maybe go to school, and get a job, ad infinitum, into something like the purpose of existence since most people cannot or will not either find their own reason for being here on Earth or accept that there may not be a purpose at all.

An AC below says that you have decided to prioritize money over family. I don't believe it's quite that simple. Most of the time, going against the crowd is just a simple matter of courage, but this is one of the few areas where It's rather difficult to make other choices when almost no one else does. Let's assume (to make a point) that the vast majority of people are giving highest priority to work/money. If you don't, your employer may start to see you as unwilling, lazy, or "not a team player" when you don't want to work as many hours during the holiday season as the other employees. It's also hard to enjoy something like quality time with people who do not value it as much as you do and have decided to go make money instead. Any real change to this system would have to be a change to the culture itself; in the meantime, all you can do is lead by example.

Re:So much for time off

[Wrath0fb0b]

A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

Who said anything about making money? Most of the fine people celebrating at home have a pretty reasonable expectation that they will have power, heat, emergency rooms, police, fire, EMT, ATC, gas stations and their internet pr0n. Just because some baby was born in a manger does not mean we have to shut down all of civilization.

The normal thing to do here is for the business/service to decide on a minimum level of service (in the case of the police/fire/ER, hopefully not too minimal) and pay their staff enough to want to show up. Part of the pay that police, ER doctors and IT professionals receive includes being on-call for the unexpected times when the shit hits the fan. That should be spelled out in your contract, including whatever level of bonus pay you expect for such work.

Re:So much for time off

[causality]

If you want someone to blame, blame Bernhard Mueller who knew about and told MSFT about the bug in April and waited until NOW to disclose it to the world. He says in the article that MSFT started blowing him off in September, yet he waits until NOW to disclose? The least the ass could have done is waited until after Xmas IMHO. If the damn thing has been sitting there since April without a major attack it could have waited a few more weeks. Or if he really had a giant bug up his butt to disclose he could have done it in the first weeks of November after being blown off by MSFT for a month. Releasing the details NOW just seems kinda shitty to me.

In the long run I think what he did was for the best. Microsoft has talked a good game lately about security and how much they value it, so you'd think they would appreciate information like this and would quickly use it. I mean, think about it. Lots of people who discover vulnerabilities immediately go public with them. I don't think there's anything wrong with that, but it has to be one hell of an inconvenience to the vendor. Here you have someone who was willing to work with the vendor and gave them far more than enough time to use his information and handle this in a much smoother way and they blew him off.

It's a shame that predictable situations that could have been easily handled often have to become big problems before anyone decides to address them, but this is often the case. The worse this one is and the more problems it causes, the more pressure there is on Microsoft to stop ignoring people who want to work with them on security issues. I am no fan of Microsoft and I personally don't like Windows, but there is a bigger picture here. No matter how I feel about them, many millions of people use Microsoft products or depend on servers that run Microsoft software and they stand to experience preventable problems when known security issues are not fixed. The Internet is a shared resource; the more secure these users are, the better the network is for everyone. There's really no excuse for how Microsoft handled this one. I don't personally use their products, but if I did, this would make me reconsider.

Re:So much for time off

[hairyfeet]

Which is why I think that we should all agree on a standard 90 day rule and press the security researchers to enforce it. That way any company that gets a vulnerability reported knows EXACTLY how long they have to get either a patch or a work around out the door, and anyone who releases before the 90 days is up should be looked down upon for making the web more dangerous for us all. Because as it is now MSFT and any other company can just sit on their collective asses and when the vulnerability finally gets disclosed claim they "didn't have enough time" and then harp upon the guy who found it for being "irresponsible" for not sitting on it. With a standard 90 days there isn't any confusion or doubt as to when the news is being released.

You got told of a new vulnerability? You have 90 days from today, no more, no less. And if a company can't get off their collectives asses and put out a patch or at least a work around then they suck and deserve whatever they get. And if they screamed "irresponsible" then everyone would simply say "everyone else gets theirs done in the standard 90 days, why the hell can't you?" instead of the worthless blame game that goes on now.

Exactly what is vulnerable?

It is important to note that this isn't exploitable unless all of the following is true:

1. The database server is not patched (and the patches are not new).
2. Someone is able to connect directly to the database server.
3. That someone authenticates using a privileged user.

Honestly, if all three are true then the vulnerability isn't an unchecked parameter in a stored procedure and whatever user might as well "attack" using one of the built-in mechanisms to execute programs.

There is the argument that this can be exploited via SQL injection, but again, that means that the application is already vulnerable and using a privileged user context.

This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

Re:Exactly what is vulnerable?

[Major+Blud]

Funny. Being a DBA, I always say the same thing about developers....

But in all honestly, you're partially correct in that good DBA's are hard to come by. In the 10+ years I've been working in the field I can immediately think of three examples of DBA's that fit your description:

1) A DB2 DBA working for a large state government agency who couldn't write a SELECT statement.
2) A lady claiming to be an "MS Access DBA"
3) A guy who designed an OLTP database used for tracking help desk tickets that contained no normalization whatsoever

I think part of the reason is that almost nobody is actually pursuing a role as a DBA. They actually planned on being developers or sysadmins, and sort-of accidently ended up in the DBA role. I think being a DBA requires a person who is knowledgeable with coding, security, administration, and hardware; it takes a different king of training and experience than a developer or a sysadmin is going to be exposed to.

Re:Exactly what is vulnerable?

It is important to note that this isn't exploitable unless all of the following is true:

You are flat out wrong, on all three points, along with the idiots who modded you insightful. RTFA.

1. The database server is not patched (and the patches are not new).

There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process."

Now, some versions of sql server are not affected at all by this bug, which is different from a patch being available.

2. Someone is able to connect directly to the database server.

Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.

3. That someone authenticates using a privileged user.

No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.

This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

You know, I think it's a good idea when the DBAs can actually read and understand what they are reading.

Re:Exactly what is vulnerable?

[causality]

This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

You mean the kind of person who'd use Microsoft software in a security critical situation?

This is modded "Flamebait" but really this is just the "use the right tool for the job" idea. I know that if I were dealing with a medium or large organization and it were up to me, I would consider using Microsoft software for the end-user's desktop machines. It would be the most familiar software for the users, it's reasonably easy for them to use, and the network on which it is deployed can be locked down (which would, of course, include making sure that no Windows machine has a public IP address).

I definitely would not consider using any Microsoft product for the servers, especially if they are accessible on the public Internet. Microsoft's documented security history is one reason. My sincere personal belief that no matter what they say, Microsoft doesn't give a damn about security and they won't start caring about it so long as their products keep selling, which has always been the case, is another. Another reason is that if there is a vulnerability in open-source software, I am not completely dependent on the vendor to fix it. Also, a database may be a bad example of this, but with most open-source programs you have a variety of different ones to choose from and you could replace your current solution with another with minimal hassle. So, if one server has a critical security problem and I cannot find a patch, fix it myself, or find a workaround, I can easily replace it with something else. Compare that to Microsoft's proprietary file formats, embrace-and-extend tactics, and other deliberate incompatibilities designed to create vendorlock and then tell me how easy it would be to replace something like a database server (even if it would have zero effect in this case, do you really want to support this kind of business practice or do you prefer to deny that this is what you are doing?). The ease of remote administration of *nix would be another reason why I wouldn't use Microsoft for a server. The fact that, in general, *nix solutions simply have better uptimes and are easier for a skilled sysadmin to maintain than Windows solutions is yet another reason. Then there are extra security options available for Linux that are not available for Windows or only partially available for Windows, such as compiling from source with SSP (good luck with that on Windows), SELinux, using PaX and grsecurity to prevent stack-smashing attacks or to use RBAC, and lots of other nice options that are desirable in a secure server. License costs would be another, more distant reason, although I say that with the awareness that software licenses are usually a small part of the overall costs.

Anyway, that's how I feel about it and I have reasons for why I feel that way. I really believe that Microsoft is one of the worst available solutions for this type of server, that superior solutions with more functionality and better security can be had even for free. Maybe using Microsoft for this doesn't qualify as "a complete and total moron of the highest degree" but it shows a pro-Microsoft bias (as in "that's all we know!") in the least and might indicate poor decision-making. Ever notice that most *nix admins can handle Windows but most Windows admins do not know their way around a *nix system? It's another sign that this is not a culture of carefully considering all available options, as in show me an administrator who is highly skilled with both *nix and Windows who still prefers Windows, and I'll call that a legitimate preference (and a member of a small minority). You might not feel that way and have reasons why you disagree. Either way, it's not flamebait to say so (mods, I'm sorry, but as a group you're rather bitchy and trigger-happy lately -- apologies to the ones who don't knee-jerk).

If anything, the parent post shou

Re:Exactly what is vulnerable?

[Shados]

There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:

There is, sortoff: the latest service packs, except for SQL Server 2000 (for which its a genuine problem, if I understand well). The catch is that SQL Server without service pack are fully supported, so Microsoft must provide patches so you can fix it without needing the service packs for the other editions. Still, the line between a patch and a service pack is thin...

Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.

Ironically, I've actually never worked anywhere where extended SPs were allowed by the DBA unless careful consideration was made, and only if the database was used on the intranet only... extended SPs can do pretty much anything if not properly controlled, so you have to be fairly careful....

No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.

Which still means you need -A- user that can connect at all. I agree that isn't exactly a "priviledged user", but it still needs a user that can login. Not "any user" can do that.

Re:Exactly what is vulnerable?

[Shados]

I think the issue is unrealistic expectations. 10 years ago, being a DBA in the sense many companies want it (an SQL guru who can do whatever with the database and lock it down and administrate it) was possible.

Today, enterprise grade RDBMS are very complex, SQL is more than just a query language, and databases tend to support more (.NET, java, python, etc). Administrating them is just as tough as administrating servers. It can be a full time job for a large company. So you end up with 2 different "jobs". A database developer (often also a business intelligence specialist, though that can its own job too), and an actual database administrator. Asking someone to be a specialist in all these positions is setting yourself for failure. It is possible, and it does exist, I know a few...but its still not realistic of the average IT person. By making those 2 (or 3) specialities into distinct positions in the work environment, it becomes a lot easier to find someone who can fill them up, AND people can do their job to their full potential.

Its like asking a programmer to also be a designer. Some can do it. All 3 of them.

localhost

[jaavaaguru]

Or just don't make the database servers available on the Internet?

Unpatched my ass

[Tridus]

Slashdot does it again with quality reporting. From the very first paragraph of the MS advisory:

"Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue."

So it's "unpatched", unless you installed the service pack. First rate reporting here.

Linux

[IsaacD]

Linux is entirely impenetrable and never requires updates of any sort. Any database application running on Linux is completely, without question, capable of becoming self aware and defending itself from assassins known as Microsoft products. If you have ever even seen a Microsoft "product" in use then you are a complete and total buffoon, you are incapable of breathing on your own, and you do not deserve the oxygen you consume. A wet paper bag is more secure than all of Microsoft's products. Linux is built by titanium-skinned gods that were trained by magical ninja fairies. Computers running a Linux distribution do not require electricity; instead, they run on posts at Slashdot and the love felt by a community that feels that no money should ever be traded for labor or information.

explaining the joke

I suggested he stop using Microsoft products.

He did not think it was funny.

There's an old joke: "Doc, it hurts when I do this." (wiggles arm) Doc replies, "Well, don't do that."

It's a joke because the patient has a reasonable expectation that he should be able to wiggle his arm, so the doc's advice doesn't really solve the problem.

If we changed the joke to, "Doc, it hurts when I hit myself in the head with a hammer and then jam a sodium hydroxide-coated piece of barbed wire up my urethra," and the doc replied, "don't do that," then it ceases to be a joke at all. The doc's line is reasonable and expected, rather than a punchline.

No wonder your admin didn't think it's funny. That's because there was no joke.

Next time, tell him, "Keep buying Microsoft products." Then he'll think it's funny.

Unpatched

[Major+Blud]

SQL 2005 Service Pack 3 hasn't been RTM'd yet. All versions of SQL 2000 seem to be affected. This probably means that the most popular versions are affected.

Re:Unpatched

[pls2917]

SP3 was released on 15-Dec:

http://www.microsoft.com/downloads/details.aspx?FamilyID=ae7387c3-348c-4faa-8ae5-949fdfbe59c4&displaylang=en

Way to drag your feet, Microsoft

Zero-day? Hardly. Microsoft has known about this vulnerability for quite a while. From the Sec-Consult group who first put out its advisory two weeks ago--the same time that the IE7 vulnerability came out:

20081209_mssql-sp_replwritetovarbin_memwrite.txt

Patch:
------

According to an email received by Microsoft in September, a fix for this vulnerability has been completed.
The release schedule for this fix is currently unknown.

Vendor timeline:
---------------
Vendor notified: 2008-04-17
Vendor response: 2008-04-17
Last response from Microsoft: 09-29-2008
Request for update status 1: 10-14-2008
Request for update status 2: 10-29-2008
Request for update status 3: 11-12-2008
Request for update status 4
and prenotification about advisory release date: 11-28-2008
Public release: 12-09-2008
Update (added SQL Server 2005, thanks Moreno Zilli): 12-10-2008

Why is Microsoft dragging their feet in releasing the patch?

Takes too much energy

dammit i was hopping that would be the workaround for once.

I was hopping for a good long while too, but then my legs got really tired.