SQL Server Flaw Discovered

By Greg McNevin

December 24, 2008: In the wake of one of the most serious security flaws to date surfacing in Internet Explorer, Microsoft has warned of a new critical flaw in older versions of SQL server.

Microsoft says that SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) are all at risk from the code, which enables a system to be exploited then hijacked via an injection attack.

Newer version of SQL server are immune to the flaw, and for affected versions Microsoft has released a workaround, achieved by denying permissions to the "'sp_replwritetovarbin" extended stored procedure.

Microsoft has been criticised by the Austrian security consulting company, SEC Consult, for not responding to the flaw soon enough, as the company reported the exploit two months ago. Apparently feeling that its warning was not being addressed, two weeks ago SEC released details of the flaw as well as proof of concept code to substantiate the threat posed by the flaw.

In a security advisory, Microsoft says that it “is not aware of active attacks that use this exploit code or of customer impact at this time”, and says that a patch is on the way.

Comment on this story