Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

MS Issues Critical SQL Server Flaw Warning

Comments Filter:
  • by The Yuckinator (898499) on Wednesday December 24, 2008 @03:23PM (#26225291)
    Happy Holidays! Now go patch the server.
    • Re: (Score:2, Insightful)

      by jugglerjon (559269)
      That's exactly what went through my head
    • by Culture20 (968837)
      This means their people are working writing/testing the patch too. I wonder how much nicer it might be for the internet backbones to take a holiday off.
      • by causality (777677) on Wednesday December 24, 2008 @03:44PM (#26225491)

        This means their people are working writing/testing the patch too. I wonder how much nicer it might be for the internet backbones to take a holiday off.

        A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

        • by $RANDOMLUSER (804576) on Wednesday December 24, 2008 @04:27PM (#26225787)
          The above is not flamebait, it's the god's honest truth. The only thing that he forgot to mention is that the people demanding that this patch be put in ASAP are already at home spending "quality time with their families" while the likes of us are patching servers.
          • by causality (777677) on Wednesday December 24, 2008 @06:07PM (#26226451)

            The above is not flamebait, it's the god's honest truth.

            Yeah, I've noticed the mods are rather trigger-happy lately (merry Christmas to them, too). Sometimes I think we need a "-0 I Dislike What You Said" mod so people can quit using Flamebait/Offtopic for this reason. I can look at the screwed-up priorities and materialism of this culture and I can either feel very bad about it because it's sad or I can joke about it because it's absurd. Having tried both, I choose the latter.

            I don't just think Christmas or other holidays that supposedly have a religious/spiritual/otherwise immaterial tradition have become over-commercialized. I think we've effectively elevated making money, maybe going to school, and getting a job so you can have kids who grow up to make money, maybe go to school, and get a job, ad infinitum, into something like the purpose of existence since most people cannot or will not either find their own reason for being here on Earth or accept that there may not be a purpose at all.

            An AC below says that you have decided to prioritize money over family. I don't believe it's quite that simple. Most of the time, going against the crowd is just a simple matter of courage, but this is one of the few areas where It's rather difficult to make other choices when almost no one else does. Let's assume (to make a point) that the vast majority of people are giving highest priority to work/money. If you don't, your employer may start to see you as unwilling, lazy, or "not a team player" when you don't want to work as many hours during the holiday season as the other employees. It's also hard to enjoy something like quality time with people who do not value it as much as you do and have decided to go make money instead. Any real change to this system would have to be a change to the culture itself; in the meantime, all you can do is lead by example.

        • Re: (Score:3, Insightful)

          by Wrath0fb0b (302444)

          A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

          Who said anything about making money? Most of the fine people celebrating at home have a pretty reasonable expectation that they will have power, heat, emergency rooms, police, fire, EMT, ATC, gas stations and their internet pr0n. Just because some baby was born in a manger does not mean we have to shut down all of civilization.

          The normal thing to do here is for the business/service to decide on a minimum level of service (in the case of the police/fire/ER, hopefully not too minimal) and pay their staff en

          • by causality (777677)

            A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!

            Who said anything about making money? Most of the fine people celebrating at home have a pretty reasonable expectation that they will have power, heat, emergency rooms, police, fire, EMT, ATC, gas stations and their internet pr0n. Just because some baby was born in a manger does not mean we have to shut down all of civilization.

            The normal thing to do here is for the business/service to decide on a minimum level of service (in the case of the police/fire/ER, hopefully not too minimal) and pay their staff enough to want to show up. Part of the pay that police, ER doctors and IT professionals receive includes being on-call for the unexpected times when the shit hits the fan. That should be spelled out in your contract, including whatever level of bonus pay you expect for such work.

            You seem to be choosing the most mission-critical life-or-death jobs like police, firefighters and EMTs and then using their situation to make a generally applicable point. This doesn't work and is a good example of confirmation bias [wikipedia.org]. The vast, vast majority of jobs are not life-or-death and would not constitute "shutting down all of civilization" if those folks had more time off.

            In an attempt to simplify what I am trying to convey, I'll emphasize that what I am really commenting on are our priorities.

            • You seem to be choosing the most mission-critical life-or-death jobs like police, firefighters and EMTs and then using their situation to make a generally applicable point. This doesn't work and is a good example of confirmation bias. The vast, vast majority of jobs are not life-or-death and would not constitute "shutting down all of civilization" if those folks had more time off.

              But that's exactly the point -- society has a general mechanism for deciding on what should be open and closed according to the priorities of the populace. We decide some things need to be open, while others need not.

              I'll emphasize that what I am really commenting on are our priorities. [snip] [Consumer goods] are so much more valuable than quality time with people you love that whenever there is a schedule conflict, quality time is sacrificed? Do you believe that joyous, grateful, harmonious, fulfilled lives are built on this premise?

              I believe very strongly in letting each individual determine her priorities according to whatever criteria best suit her. A corollary is that each individual should negotiate her own employment contract that best reflects her particular preferences.

              It's the sort of thing that you can't really use facts and logic to prove. I can't write an equation that will rigorously demonstrate for you that one value system is superior to another. For this reason, if you disagree with me, then I do not believe that any amount of argument is going to result in agreement. I just wanted you to better understand what you are disagreeing with, as it is something more significant than the rather trivial objection you raise.

              It's not a matter of computing whether one val

    • When Microsoft has not come up with a fix for a problem they have been working on since April 2008, why expect a patch soon?

      Link [computerworld.com]

  • by Anonymous Coward on Wednesday December 24, 2008 @03:36PM (#26225425)

    It is important to note that this isn't exploitable unless all of the following is true:

    1. The database server is not patched (and the patches are not new).
    2. Someone is able to connect directly to the database server.
    3. That someone authenticates using a privileged user.

    Honestly, if all three are true then the vulnerability isn't an unchecked parameter in a stored procedure and whatever user might as well "attack" using one of the built-in mechanisms to execute programs.

    There is the argument that this can be exploited via SQL injection, but again, that means that the application is already vulnerable and using a privileged user context.

    This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

    • Re: (Score:1, Funny)

      by Techmeology (1426095)

      This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

      You mean the kind of person who'd use Microsoft software in a security critical situation?

      • Re: (Score:3, Interesting)

        by causality (777677)

        This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

        You mean the kind of person who'd use Microsoft software in a security critical situation?

        This is modded "Flamebait" but really this is just the "use the right tool for the job" idea. I know that if I were dealing with a medium or large organization and it were up to me, I would consider using Microsoft software for the end-user's desktop machines. It would be the most familiar software for the users, it's reasonably easy for them to use, and the network on which it is deployed can be locked down (which would, of course, include making sure that no Windows machine has a public IP address).

        I

        • by Shados (741919)

          Ever notice that most *nix admins can handle Windows but most Windows admins do not know their way around a *nix system? It's another sign that this is not a culture of carefully considering all available options, as in show me an administrator who is highly skilled with both *nix and Windows who still prefers Windows, and I'll call that a legitimate preference (and a member of a small minority).

          I'm sorry here, but i have to correct you. I hear that quote a lot, how a *nix admin can handle windows but not

          • by causality (777677)

            I'm sorry here, but i have to correct you. I hear that quote a lot, how a *nix admin can handle windows but not the other way around. That always leave out one little detail. Someone with no experience as a sysadmin at all can handle Windows. You just need to know the basics. The UI is basically self explainatory.

            That's fine and good, right up until there is an intrusion attempt or complex problem for which the UI doesn't have a prefabricated solution or a need to understand security in terms more advance

            • by Shados (741919)

              In that case, with the added clarification, I have to say, there's no way a Unix sysadmin can just come up and admin a Windows Server. It seems like they can because they can "click around", but doing it "right", it requires experience and/or training, in which case, both will be lost in the other's environment (again though: since the basic tasks will require absolutely no training in Windows, it may give the impression that the Unix sysadmin "can admin a Windows box". They cannot, there's just less to lea

              • by causality (777677)

                In that case, with the added clarification, I have to say, there's no way a Unix sysadmin can just come up and admin a Windows Server. It seems like they can because they can "click around", but doing it "right", it requires experience and/or training, in which case, both will be lost in the other's environment (again though: since the basic tasks will require absolutely no training in Windows, it may give the impression that the Unix sysadmin "can admin a Windows box". They cannot, there's just less to lea

                • by Shados (741919)

                  I totally agree with you on that. However, the things that are platform independent are a fraction of what managing a server is all about... IIS has concepts that Apache doesn't have, Active Directory has stuff that open LDAP implementations do not. Exchange is a beast on its own. The "hard" part of administrating these things are knowing the details of these tools. I fully agree with you that someone who can use IPTables can circle around anything Windows can throw at them, but let say, the .NET security c

          • I've used both Linux and Windows for servers for a decade.

            I think Windows 2008 "core" mode is going to be too little too late. The more time I spend working with Linux servers, the power of the command line, the "everything is a file" mindset of Unix/Linux, and the sheer openness of the underlying tech - the less certain I am that Windows makes a good server product.

            At least, if you don't want to spend lots and lots of money on add-on packages.

            Some of the high points that have made my job easier in t
    • by Anonymous Coward on Wednesday December 24, 2008 @05:37PM (#26226263)

      It is important to note that this isn't exploitable unless all of the following is true:

      You are flat out wrong, on all three points, along with the idiots who modded you insightful. RTFA.

      1. The database server is not patched (and the patches are not new).

      There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:

      "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process."

      Now, some versions of sql server are not affected at all by this bug, which is different from a patch being available.

      2. Someone is able to connect directly to the database server.

      Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.

      3. That someone authenticates using a privileged user.

      No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.

      This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.

      You know, I think it's a good idea when the DBAs can actually read and understand what they are reading.

    • There is the argument that this can be exploited via SQL injection, but again, that means that the application is already vulnerable and using a privileged user context.

      You'd be amazed at how many databases are vulnerable to SQL Injection. This attack would take take a normal SQL Injection attack that can only modify things in the database, and give you access to the full server though, so it's more of a privilege escalation than anything. On the other hand, most of the websites I've seen vulnerable to SQL Injection were hosted cheap using mysql, so maybe it's not that bad.

  • dammit i was hopping that would be the workaround for once.

    in fairness, it seams to only affect you if you dont properly parse the sql input from a web application, so if the attacker is using this exploit they are already 'in'.

    • by Anonymous Coward

      dammit i was hopping that would be the workaround for once.

      I was hopping for a good long while too, but then my legs got really tired.

  • localhost (Score:3, Informative)

    by jaavaaguru (261551) on Wednesday December 24, 2008 @03:52PM (#26225547) Homepage

    Or just don't make the database servers available on the Internet?

    • by pembo13 (770295)
      Regardless of OS, this should be a general rule of thumb.
  • Unpatched my ass (Score:4, Insightful)

    by Tridus (79566) on Wednesday December 24, 2008 @04:25PM (#26225771) Homepage

    Slashdot does it again with quality reporting. From the very first paragraph of the MS advisory [microsoft.com]:

    "Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue."

    So it's "unpatched", unless you installed the service pack. First rate reporting here.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      SQL 2005 SP3 has only been out for 10 days and not a lot of people are running 2008 yet, so really it's only going to be 2000 that's most likely service-packed across the board.

  • Linux (Score:2, Funny)

    by IsaacD (1376213)
    Linux is entirely impenetrable and never requires updates of any sort. Any database application running on Linux is completely, without question, capable of becoming self aware and defending itself from assassins known as Microsoft products. If you have ever even seen a Microsoft "product" in use then you are a complete and total buffoon, you are incapable of breathing on your own, and you do not deserve the oxygen you consume. A wet paper bag is more secure than all of Microsoft's products. Linux is built
    • Linux is built by titanium-skinned gods that were trained by magical ninja fairies.

      I, for one, welcome our metal-god-educated-mystical-assassin-fairy overlords.

  • Unpatched (Score:4, Informative)

    by Major Blud (789630) on Wednesday December 24, 2008 @04:36PM (#26225855) Homepage
    SQL 2005 Service Pack 3 hasn't been RTM'd yet. All versions of SQL 2000 seem to be affected. This probably means that the most popular versions are affected.
  • by Anonymous Coward on Wednesday December 24, 2008 @04:58PM (#26226005)

    Zero-day? Hardly. Microsoft has known about this vulnerability for quite a while. From the Sec-Consult group who first put out its advisory two weeks ago--the same time that the IE7 vulnerability came out:

    20081209_mssql-sp_replwritetovarbin_memwrite.txt [sec-consult.com]

    Patch:
    ------

    According to an email received by Microsoft in September, a fix for this vulnerability has been completed.
    The release schedule for this fix is currently unknown.

    Vendor timeline:
    ---------------
    Vendor notified: 2008-04-17
    Vendor response: 2008-04-17
    Last response from Microsoft: 09-29-2008
    Request for update status 1: 10-14-2008
    Request for update status 2: 10-29-2008
    Request for update status 3: 11-12-2008
    Request for update status 4
    and prenotification about advisory release date: 11-28-2008
    Public release: 12-09-2008
    Update (added SQL Server 2005, thanks Moreno Zilli): 12-10-2008

    Why is Microsoft dragging their feet in releasing the patch?

  • Patch available here [mysql.com].
    • by Shados (741919)

      All that patch does is disable 95% of the features...you can do that without downloading anything.

  • FYI - My dentist's web site has been hijacked by a redirect to some site that tries to install trojans/viruses, and a local government website has been listed by google as an attack site... I called the county office, but with eggnog in the air, not much of a response. Luckily I was using my Mac when I browsed... Not sure if these two examples are linked to this SQL exploit, but it seems suspicious. YES WE DID! (not patch, or use Linux)
  • "By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is / may be possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process. In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. The vulnerability can be exploited by an authentica

In order to dial out, it is necessary to broaden one's dimension.

Working...