Microsoft warns of critical bug in SQL Server

Released attack code targets SQL Server database software

Microsoft Monday warned customers that attack code has been released targeting a critical vulnerability in older versions of its widely-used SQL Server database software, and urged users to apply a temporary workaround.

The bug was first reported to Microsoft last April by an Austrian security consulting company, SEC Consult. But the firm apparently grew tired of waiting for Microsoft to decide when or whether it would release a patch, disclosed the flaw two weeks ago and published proof-of-concept exploit code.

According to SEC Consult, Microsoft has had a patch ready for nearly three months, but has declined to release it.

In a security advisory issued late Monday, Microsoft said that systems running SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) can be exploited, then hijacked by hackers.

The bug is in the "sp_replwritetovarbin" SQL Server extended stored procedure.

Newer versions of the popular software, which is used by many Web sites to power their back-end databases, are immune from attack, however. Those versions include SQL Server 7.0 Service Pack 4 (SP4), SQL Server 2005 SP3 and SQL Server 2008. That last version, the newest in the line, was released to manufacturing just last August.

As it often does, Microsoft downplayed the threat even as it issued the advisory. "We are aware that exploit code has been published on the Internet," said a company spokesman, in an e-mail Monday. "However, we are not aware of any attacks attempting to use the reported vulnerability."

Attackers can exploit the bug remotely if they are able to gain access to the server through a SQL injection attack against a vulnerable Web application running on the system, Sisk acknowledged.

Successful SQL injection attacks are hardly rare; hackers have managed to compromise huge numbers of sites, even prominent commercial domains, using such attacks. Several thousand legitimate sites, for example, were hacked via SQL injection attacks in the last few weeks by criminals who then planted rogue code on their pages and attacked visitors running Internet Explorer (IE). Microsoft plugged the IE hole last Wednesday with the second emergency patch in a two-month span.

Microsoft said that denying permissions to the "'sp_replwritetovarbin" extended stored procedure would protect vulnerable systems, and provided instructions on how to do that in the advisory.

Sisk didn't commit the company to a fix, or a timeline for one, but the boilerplate phrasing he used — "Microsoft will continue to investigate this vulnerability and upon completion of this investigation, will take the appropriate actions" — typically leads at some point to a patch.

SEC Consult, however, claimed Microsoft completed a fix in September.

The company, which is headquartered in Vienna, went public with the vulnerability on Dec. 9 by publishing information and sample attack code in an advisory on its site, as well as to several security mailing lists, including Bugtraq and Full Disclosure .

In its disclosure, SEC Consult said it had been told by Microsoft in a September e-mail that a patch was finished. "The release schedule for this fix is currently unknown," SEC Consult's advisory read.

The Austrian security firm also included a timeline it said reflected the communications between it and Microsoft. According to that timetable, SEC Consult reported the vulnerability to Microsoft on April 17, 2008, and last heard back from Microsoft Sept 29. Four times since then — on Oct. 14, Oct. 29, Nov. 12 and Nov. 28 — SEC Consult asked Microsoft for an update on the patch release status, but received no reply.

Microsoft did not immediately respond to questions about SEC Consult's claims, including patch availability and the timeline.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?