MS Issues Critical SQL Server Flaw Warning 69
silent wire writes "ZDNet is reporting on a pre-patch security advisory from Microsoft warning about an unpatched remote code execution vulnerability affecting its SQL Server line. Exploit code is publicly available so affected users should pay special attention to the workarounds from Microsoft."
Re:So much for time off (Score:2, Insightful)
Exactly what is vulnerable? (Score:4, Insightful)
It is important to note that this isn't exploitable unless all of the following is true:
1. The database server is not patched (and the patches are not new).
2. Someone is able to connect directly to the database server.
3. That someone authenticates using a privileged user.
Honestly, if all three are true then the vulnerability isn't an unchecked parameter in a stored procedure and whatever user might as well "attack" using one of the built-in mechanisms to execute programs.
There is the argument that this can be exploited via SQL injection, but again, that means that the application is already vulnerable and using a privileged user context.
This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.
Unpatched my ass (Score:4, Insightful)
Slashdot does it again with quality reporting. From the very first paragraph of the MS advisory [microsoft.com]:
"Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue."
So it's "unpatched", unless you installed the service pack. First rate reporting here.
Re:So much for time off (Score:4, Insightful)
Way to drag your feet, Microsoft (Score:3, Insightful)
Zero-day? Hardly. Microsoft has known about this vulnerability for quite a while. From the Sec-Consult group who first put out its advisory two weeks ago--the same time that the IE7 vulnerability came out:
20081209_mssql-sp_replwritetovarbin_memwrite.txt [sec-consult.com]
Why is Microsoft dragging their feet in releasing the patch?
Re:So much for time off (Score:5, Insightful)
The above is not flamebait, it's the god's honest truth.
Yeah, I've noticed the mods are rather trigger-happy lately (merry Christmas to them, too). Sometimes I think we need a "-0 I Dislike What You Said" mod so people can quit using Flamebait/Offtopic for this reason. I can look at the screwed-up priorities and materialism of this culture and I can either feel very bad about it because it's sad or I can joke about it because it's absurd. Having tried both, I choose the latter.
I don't just think Christmas or other holidays that supposedly have a religious/spiritual/otherwise immaterial tradition have become over-commercialized. I think we've effectively elevated making money, maybe going to school, and getting a job so you can have kids who grow up to make money, maybe go to school, and get a job, ad infinitum, into something like the purpose of existence since most people cannot or will not either find their own reason for being here on Earth or accept that there may not be a purpose at all.
An AC below says that you have decided to prioritize money over family. I don't believe it's quite that simple. Most of the time, going against the crowd is just a simple matter of courage, but this is one of the few areas where It's rather difficult to make other choices when almost no one else does. Let's assume (to make a point) that the vast majority of people are giving highest priority to work/money. If you don't, your employer may start to see you as unwilling, lazy, or "not a team player" when you don't want to work as many hours during the holiday season as the other employees. It's also hard to enjoy something like quality time with people who do not value it as much as you do and have decided to go make money instead. Any real change to this system would have to be a change to the culture itself; in the meantime, all you can do is lead by example.
Re:So much for time off (Score:3, Insightful)
A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!
Who said anything about making money? Most of the fine people celebrating at home have a pretty reasonable expectation that they will have power, heat, emergency rooms, police, fire, EMT, ATC, gas stations and their internet pr0n. Just because some baby was born in a manger does not mean we have to shut down all of civilization.
The normal thing to do here is for the business/service to decide on a minimum level of service (in the case of the police/fire/ER, hopefully not too minimal) and pay their staff enough to want to show up. Part of the pay that police, ER doctors and IT professionals receive includes being on-call for the unexpected times when the shit hits the fan. That should be spelled out in your contract, including whatever level of bonus pay you expect for such work.
Re:Unpatched my ass (Score:1, Insightful)
SQL 2005 SP3 has only been out for 10 days and not a lot of people are running 2008 yet, so really it's only going to be 2000 that's most likely service-packed across the board.
Re:So much for time off (Score:3, Insightful)
If you want someone to blame, blame Bernhard Mueller [computerworld.com] who knew about and told MSFT about the bug in April and waited until NOW to disclose it to the world. He says in the article that MSFT started blowing him off in September, yet he waits until NOW to disclose? The least the ass could have done is waited until after Xmas IMHO. If the damn thing has been sitting there since April without a major attack it could have waited a few more weeks. Or if he really had a giant bug up his butt to disclose he could have done it in the first weeks of November after being blown off by MSFT for a month. Releasing the details NOW just seems kinda shitty to me.
In the long run I think what he did was for the best. Microsoft has talked a good game lately about security and how much they value it, so you'd think they would appreciate information like this and would quickly use it. I mean, think about it. Lots of people who discover vulnerabilities immediately go public with them. I don't think there's anything wrong with that, but it has to be one hell of an inconvenience to the vendor. Here you have someone who was willing to work with the vendor and gave them far more than enough time to use his information and handle this in a much smoother way and they blew him off.
It's a shame that predictable situations that could have been easily handled often have to become big problems before anyone decides to address them, but this is often the case. The worse this one is and the more problems it causes, the more pressure there is on Microsoft to stop ignoring people who want to work with them on security issues. I am no fan of Microsoft and I personally don't like Windows, but there is a bigger picture here. No matter how I feel about them, many millions of people use Microsoft products or depend on servers that run Microsoft software and they stand to experience preventable problems when known security issues are not fixed. The Internet is a shared resource; the more secure these users are, the better the network is for everyone. There's really no excuse for how Microsoft handled this one. I don't personally use their products, but if I did, this would make me reconsider.