Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Issues Critical SQL Server Flaw Warning

Posted by timothy on from the you-should-have-fixed-it-over-festivus dept.

silent wire writes "ZDNet is reporting on a pre-patch security advisory from Microsoft warning about an unpatched remote code execution vulnerability affecting its SQL Server line. Exploit code is publicly available so affected users should pay special attention to the workarounds from Microsoft."

11 of 69 comments (clear)

  1. So much for time off by The+Yuckinator · · Score: 5, Funny

    Happy Holidays! Now go patch the server.

    1. Re:So much for time off by causality · · Score: 5, Funny

      This means their people are working writing/testing the patch too. I wonder how much nicer it might be for the internet backbones to take a holiday off.

      A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

      --
      It is a miracle that curiosity survives formal education. - Einstein
    2. Re:So much for time off by $RANDOMLUSER · · Score: 3, Insightful

      The above is not flamebait, it's the god's honest truth. The only thing that he forgot to mention is that the people demanding that this patch be put in ASAP are already at home spending "quality time with their families" while the likes of us are patching servers.

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    3. Re:So much for time off by causality · · Score: 4, Insightful

      The above is not flamebait, it's the god's honest truth.

      Yeah, I've noticed the mods are rather trigger-happy lately (merry Christmas to them, too). Sometimes I think we need a "-0 I Dislike What You Said" mod so people can quit using Flamebait/Offtopic for this reason. I can look at the screwed-up priorities and materialism of this culture and I can either feel very bad about it because it's sad or I can joke about it because it's absurd. Having tried both, I choose the latter.

      I don't just think Christmas or other holidays that supposedly have a religious/spiritual/otherwise immaterial tradition have become over-commercialized. I think we've effectively elevated making money, maybe going to school, and getting a job so you can have kids who grow up to make money, maybe go to school, and get a job, ad infinitum, into something like the purpose of existence since most people cannot or will not either find their own reason for being here on Earth or accept that there may not be a purpose at all.

      An AC below says that you have decided to prioritize money over family. I don't believe it's quite that simple. Most of the time, going against the crowd is just a simple matter of courage, but this is one of the few areas where It's rather difficult to make other choices when almost no one else does. Let's assume (to make a point) that the vast majority of people are giving highest priority to work/money. If you don't, your employer may start to see you as unwilling, lazy, or "not a team player" when you don't want to work as many hours during the holiday season as the other employees. It's also hard to enjoy something like quality time with people who do not value it as much as you do and have decided to go make money instead. Any real change to this system would have to be a change to the culture itself; in the meantime, all you can do is lead by example.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    4. Re:So much for time off by hairyfeet · · Score: 4, Interesting

      Which is why I think that we should all agree on a standard 90 day rule and press the security researchers to enforce it. That way any company that gets a vulnerability reported knows EXACTLY how long they have to get either a patch or a work around out the door, and anyone who releases before the 90 days is up should be looked down upon for making the web more dangerous for us all. Because as it is now MSFT and any other company can just sit on their collective asses and when the vulnerability finally gets disclosed claim they "didn't have enough time" and then harp upon the guy who found it for being "irresponsible" for not sitting on it. With a standard 90 days there isn't any confusion or doubt as to when the news is being released.

      You got told of a new vulnerability? You have 90 days from today, no more, no less. And if a company can't get off their collectives asses and put out a patch or at least a work around then they suck and deserve whatever they get. And if they screamed "irresponsible" then everyone would simply say "everyone else gets theirs done in the standard 90 days, why the hell can't you?" instead of the worthless blame game that goes on now.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Exactly what is vulnerable? by Anonymous Coward · · Score: 4, Insightful

    It is important to note that this isn't exploitable unless all of the following is true:

    1. The database server is not patched (and the patches are not new).
    2. Someone is able to connect directly to the database server.
    3. That someone authenticates using a privileged user.

    Honestly, if all three are true then the vulnerability isn't an unchecked parameter in a stored procedure and whatever user might as well "attack" using one of the built-in mechanisms to execute programs.

    There is the argument that this can be exploited via SQL injection, but again, that means that the application is already vulnerable and using a privileged user context.

    This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

    1. Re:Exactly what is vulnerable? by Anonymous Coward · · Score: 5, Informative

      It is important to note that this isn't exploitable unless all of the following is true:

      You are flat out wrong, on all three points, along with the idiots who modded you insightful. RTFA.

      1. The database server is not patched (and the patches are not new).

      There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:

      "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process."

      Now, some versions of sql server are not affected at all by this bug, which is different from a patch being available.

      2. Someone is able to connect directly to the database server.

      Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.

      3. That someone authenticates using a privileged user.

      No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.

      This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

      You know, I think it's a good idea when the DBAs can actually read and understand what they are reading.

  3. Unpatched my ass by Tridus · · Score: 3, Insightful

    Slashdot does it again with quality reporting. From the very first paragraph of the MS advisory:

    "Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue."

    So it's "unpatched", unless you installed the service pack. First rate reporting here.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  4. Unpatched by Major+Blud · · Score: 3, Informative

    SQL 2005 Service Pack 3 hasn't been RTM'd yet. All versions of SQL 2000 seem to be affected. This probably means that the most popular versions are affected.

    --
    If you post as Anonymous Coward, don't expect a reply.
  5. Way to drag your feet, Microsoft by Anonymous Coward · · Score: 3, Insightful

    Zero-day? Hardly. Microsoft has known about this vulnerability for quite a while. From the Sec-Consult group who first put out its advisory two weeks ago--the same time that the IE7 vulnerability came out:

    20081209_mssql-sp_replwritetovarbin_memwrite.txt

    Patch:
    ------

    According to an email received by Microsoft in September, a fix for this vulnerability has been completed.
    The release schedule for this fix is currently unknown.

    Vendor timeline:
    ---------------
    Vendor notified: 2008-04-17
    Vendor response: 2008-04-17
    Last response from Microsoft: 09-29-2008
    Request for update status 1: 10-14-2008
    Request for update status 2: 10-29-2008
    Request for update status 3: 11-12-2008
    Request for update status 4
    and prenotification about advisory release date: 11-28-2008
    Public release: 12-09-2008
    Update (added SQL Server 2005, thanks Moreno Zilli): 12-10-2008

    Why is Microsoft dragging their feet in releasing the patch?

  6. Takes too much energy by Anonymous Coward · · Score: 3, Funny

    dammit i was hopping that would be the workaround for once.

    I was hopping for a good long while too, but then my legs got really tired.