MS Issues Critical SQL Server Flaw Warning 69
silent wire writes "ZDNet is reporting on a pre-patch security advisory from Microsoft warning about an unpatched remote code execution vulnerability affecting its SQL Server line. Exploit code is publicly available so affected users should pay special attention to the workarounds from Microsoft."
So much for time off (Score:5, Funny)
Re: (Score:2, Insightful)
Re: (Score:2)
Re:So much for time off (Score:5, Funny)
This means their people are working writing/testing the patch too. I wonder how much nicer it might be for the internet backbones to take a holiday off.
A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!
Re:So much for time off (Score:4, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
If you want someone to blame, blame Bernhard Mueller [computerworld.com] who knew about and told MSFT about the bug in April and waited until NOW to disclose it to the world. He says in the article that MSFT started blowing him off in September, yet he waits until NOW to disclose? The least the ass could have done is waited until after Xmas IMHO. If the damn thing has been sitting there since April without a major attack it could have waited a few more weeks. Or if he really had a giant bug up his butt to disclose he could have done it in the first weeks of November after being blown off by MSFT for a month. Releasing the details NOW just seems kinda shitty to me.
In the long run I think what he did was for the best. Microsoft has talked a good game lately about security and how much they value it, so you'd think they would appreciate information like this and would quickly use it. I mean, think about it. Lots of people who discover vulnerabilities immediately go public with them. I don't think there's anything wrong with that, but it has to be one hell of an inconvenience to the vendor. Here you have someone who was willing to work with the vendor and gave them
Comment removed (Score:5, Interesting)
Re: (Score:2)
Which is why I think that we should all agree on a standard 90 day rule and press the security researchers to enforce it. That way any company that gets a vulnerability reported knows EXACTLY how long they have to get either a patch or a work around out the door, and anyone who releases before the 90 days is up should be looked down upon for making the web more dangerous for us all. Because as it is now MSFT and any other company can just sit on their collective asses and when the vulnerability finally gets disclosed claim they "didn't have enough time" and then harp upon the guy who found it for being "irresponsible" for not sitting on it. With a standard 90 days there isn't any confusion or doubt as to when the news is being released.
You got told of a new vulnerability? You have 90 days from today, no more, no less. And if a company can't get off their collectives asses and put out a patch or at least a work around then they suck and deserve whatever they get. And if they screamed "irresponsible" then everyone would simply say "everyone else gets theirs done in the standard 90 days, why the hell can't you?" instead of the worthless blame game that goes on now.
Ninety days sounds like an excessively long time to me, considering that the (largely unpaid volunteers of the) open-source community typically patch high-profile remotely-exploitable vulnerabilities in a matter of hours. In my opinion, 30 days would be quite generous. This is especially true when you consider that it's always possible that the black hats have also independently discovered $VULNERABILITY and are quietly exploiting what almost no one else even knows about.
If you are dealing with an enti
Re:So much for time off (Score:5, Insightful)
The above is not flamebait, it's the god's honest truth.
Yeah, I've noticed the mods are rather trigger-happy lately (merry Christmas to them, too). Sometimes I think we need a "-0 I Dislike What You Said" mod so people can quit using Flamebait/Offtopic for this reason. I can look at the screwed-up priorities and materialism of this culture and I can either feel very bad about it because it's sad or I can joke about it because it's absurd. Having tried both, I choose the latter.
I don't just think Christmas or other holidays that supposedly have a religious/spiritual/otherwise immaterial tradition have become over-commercialized. I think we've effectively elevated making money, maybe going to school, and getting a job so you can have kids who grow up to make money, maybe go to school, and get a job, ad infinitum, into something like the purpose of existence since most people cannot or will not either find their own reason for being here on Earth or accept that there may not be a purpose at all.
An AC below says that you have decided to prioritize money over family. I don't believe it's quite that simple. Most of the time, going against the crowd is just a simple matter of courage, but this is one of the few areas where It's rather difficult to make other choices when almost no one else does. Let's assume (to make a point) that the vast majority of people are giving highest priority to work/money. If you don't, your employer may start to see you as unwilling, lazy, or "not a team player" when you don't want to work as many hours during the holiday season as the other employees. It's also hard to enjoy something like quality time with people who do not value it as much as you do and have decided to go make money instead. Any real change to this system would have to be a change to the culture itself; in the meantime, all you can do is lead by example.
Re: (Score:3, Insightful)
A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!
Who said anything about making money? Most of the fine people celebrating at home have a pretty reasonable expectation that they will have power, heat, emergency rooms, police, fire, EMT, ATC, gas stations and their internet pr0n. Just because some baby was born in a manger does not mean we have to shut down all of civilization.
The normal thing to do here is for the business/service to decide on a minimum level of service (in the case of the police/fire/ER, hopefully not too minimal) and pay their staff en
Re: (Score:2)
A holiday off? We can't do that, it might interefere with someone making money. This is the USA goddammit, we can't start placing quality time or family members above making money, we've got our priorities!
Who said anything about making money? Most of the fine people celebrating at home have a pretty reasonable expectation that they will have power, heat, emergency rooms, police, fire, EMT, ATC, gas stations and their internet pr0n. Just because some baby was born in a manger does not mean we have to shut down all of civilization.
The normal thing to do here is for the business/service to decide on a minimum level of service (in the case of the police/fire/ER, hopefully not too minimal) and pay their staff enough to want to show up. Part of the pay that police, ER doctors and IT professionals receive includes being on-call for the unexpected times when the shit hits the fan. That should be spelled out in your contract, including whatever level of bonus pay you expect for such work.
You seem to be choosing the most mission-critical life-or-death jobs like police, firefighters and EMTs and then using their situation to make a generally applicable point. This doesn't work and is a good example of confirmation bias [wikipedia.org]. The vast, vast majority of jobs are not life-or-death and would not constitute "shutting down all of civilization" if those folks had more time off.
In an attempt to simplify what I am trying to convey, I'll emphasize that what I am really commenting on are our priorities.
Re: (Score:2)
You seem to be choosing the most mission-critical life-or-death jobs like police, firefighters and EMTs and then using their situation to make a generally applicable point. This doesn't work and is a good example of confirmation bias. The vast, vast majority of jobs are not life-or-death and would not constitute "shutting down all of civilization" if those folks had more time off.
But that's exactly the point -- society has a general mechanism for deciding on what should be open and closed according to the priorities of the populace. We decide some things need to be open, while others need not.
I'll emphasize that what I am really commenting on are our priorities. [snip] [Consumer goods] are so much more valuable than quality time with people you love that whenever there is a schedule conflict, quality time is sacrificed? Do you believe that joyous, grateful, harmonious, fulfilled lives are built on this premise?
I believe very strongly in letting each individual determine her priorities according to whatever criteria best suit her. A corollary is that each individual should negotiate her own employment contract that best reflects her particular preferences.
It's the sort of thing that you can't really use facts and logic to prove. I can't write an equation that will rigorously demonstrate for you that one value system is superior to another. For this reason, if you disagree with me, then I do not believe that any amount of argument is going to result in agreement. I just wanted you to better understand what you are disagreeing with, as it is something more significant than the rather trivial objection you raise.
It's not a matter of computing whether one val
Re: (Score:2)
When Microsoft has not come up with a fix for a problem they have been working on since April 2008, why expect a patch soon?
Link [computerworld.com]
Exactly what is vulnerable? (Score:4, Insightful)
It is important to note that this isn't exploitable unless all of the following is true:
1. The database server is not patched (and the patches are not new).
2. Someone is able to connect directly to the database server.
3. That someone authenticates using a privileged user.
Honestly, if all three are true then the vulnerability isn't an unchecked parameter in a stored procedure and whatever user might as well "attack" using one of the built-in mechanisms to execute programs.
There is the argument that this can be exploited via SQL injection, but again, that means that the application is already vulnerable and using a privileged user context.
This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.
Re: (Score:3, Interesting)
Funny. Being a DBA, I always say the same thing about developers....
But in all honestly, you're partially correct in that good DBA's are hard to come by. In the 10+ years I've been working in the field I can immediately think of three examples of DBA's that fit your description:
1) A DB2 DBA working for a large state government agency who couldn't write a SELECT statement.
2) A lady claiming to be an "MS Access DBA"
3) A guy who designed an OLTP database used for tracking help desk tickets that contained
Re: (Score:3, Interesting)
I think the issue is unrealistic expectations. 10 years ago, being a DBA in the sense many companies want it (an SQL guru who can do whatever with the database and lock it down and administrate it) was possible.
Today, enterprise grade RDBMS are very complex, SQL is more than just a query language, and databases tend to support more (.NET, java, python, etc). Administrating them is just as tough as administrating servers. It can be a full time job for a large company. So you end up with 2 different "jobs". A
Re: (Score:1)
Semi Off-Topic but exactly where does one start off learning to be a good DBA? I've been a "jack of all trades" IT professional for Windows and Linux for 15 years and looking to finally specialize. I see database administration as the direction I want to go but feel as though I only know enough to be "dangerous". And if you say MS-DBA school I'm going to scream ...
Re: (Score:2)
The old Microsoft Certified DBA exams weren't that difficult, and there was some good things in there that were not just Microsoft-specific. (I finished the MCDBA cert back in 1999/2000, I've never recertified since then.) But I've been mucking with databases since the DBase III / CA-Clipper days and I can generally get around in 3 or 4 different database packages.
Beyond that, start playing with at least 2 or 3 different dat
Re: (Score:1, Funny)
This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.
You mean the kind of person who'd use Microsoft software in a security critical situation?
Re: (Score:3, Interesting)
This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.
You mean the kind of person who'd use Microsoft software in a security critical situation?
This is modded "Flamebait" but really this is just the "use the right tool for the job" idea. I know that if I were dealing with a medium or large organization and it were up to me, I would consider using Microsoft software for the end-user's desktop machines. It would be the most familiar software for the users, it's reasonably easy for them to use, and the network on which it is deployed can be locked down (which would, of course, include making sure that no Windows machine has a public IP address).
I
Re: (Score:2)
I'm sorry here, but i have to correct you. I hear that quote a lot, how a *nix admin can handle windows but not
Re: (Score:2)
That's fine and good, right up until there is an intrusion attempt or complex problem for which the UI doesn't have a prefabricated solution or a need to understand security in terms more advance
Re: (Score:2)
In that case, with the added clarification, I have to say, there's no way a Unix sysadmin can just come up and admin a Windows Server. It seems like they can because they can "click around", but doing it "right", it requires experience and/or training, in which case, both will be lost in the other's environment (again though: since the basic tasks will require absolutely no training in Windows, it may give the impression that the Unix sysadmin "can admin a Windows box". They cannot, there's just less to lea
Re: (Score:2)
Re: (Score:2)
I totally agree with you on that. However, the things that are platform independent are a fraction of what managing a server is all about... IIS has concepts that Apache doesn't have, Active Directory has stuff that open LDAP implementations do not. Exchange is a beast on its own. The "hard" part of administrating these things are knowing the details of these tools. I fully agree with you that someone who can use IPTables can circle around anything Windows can throw at them, but let say, the .NET security c
Re: (Score:2)
I think Windows 2008 "core" mode is going to be too little too late. The more time I spend working with Linux servers, the power of the command line, the "everything is a file" mindset of Unix/Linux, and the sheer openness of the underlying tech - the less certain I am that Windows makes a good server product.
At least, if you don't want to spend lots and lots of money on add-on packages.
Some of the high points that have made my job easier in t
Re:Exactly what is vulnerable? (Score:5, Informative)
It is important to note that this isn't exploitable unless all of the following is true:
You are flat out wrong, on all three points, along with the idiots who modded you insightful. RTFA.
1. The database server is not patched (and the patches are not new).
There is no patch! The only workaround is to disable execution of an extended stored procedure. Maybe you should read the line that says:
"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process."
Now, some versions of sql server are not affected at all by this bug, which is different from a patch being available.
2. Someone is able to connect directly to the database server.
Or they get something else to run this extended stored procedure. Since this is normally regarded as harmless, it's easier than you think.
3. That someone authenticates using a privileged user.
No! In sql server, there are many things that ANY user can use by default, like SELECT GETDATE() which returns the system date & time. By default, this extended stored procedure, sp_replwritetovarbin, can be executed by ANY user.
This will be exploited only in the situation where the DBA is a complete and total moron of the highest degree.
You know, I think it's a good idea when the DBAs can actually read and understand what they are reading.
Re: (Score:3, Informative)
There is, sortoff: the latest service packs, except for SQL Server 2000 (for which its a genuine problem, if I understand well). The catch is that SQL Server without service pack are fully supported, so Microsoft must provide patches so you can fix it without needing the service packs for the other editions. Still, the line between a patch and a service pack is thin...
Re: (Score:2)
"Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue." [microsoft.com]
Re: (Score:2)
Use linux? (Score:2)
dammit i was hopping that would be the workaround for once.
in fairness, it seams to only affect you if you dont properly parse the sql input from a web application, so if the attacker is using this exploit they are already 'in'.
Re: (Score:2)
Often people think it's not funny, but they don't think seriously enough about things before using Microsoft (or other for that matter) software.
*still wondering how long it'll be before the unprotected, single MS SQL database used for everything in 16+ companies crashes because of a Windows exploit*
explaining the joke (Score:2, Funny)
There's an old joke: "Doc, it hurts when I do this." (wiggles arm) Doc replies, "Well, don't do that."
It's a joke because the patient has a reasonable expectation that he should be able to wiggle his arm, so the doc's advice doesn't really solve the problem.
If we changed the joke to, "Doc, it hurts when I hit myself in the head with a hammer and then jam a sodium hydroxide-coated piece of barbed wire up my urethra," and the do
Takes too much energy (Score:3, Funny)
dammit i was hopping that would be the workaround for once.
I was hopping for a good long while too, but then my legs got really tired.
localhost (Score:3, Informative)
Or just don't make the database servers available on the Internet?
Re: (Score:2)
Re: (Score:2)
Then any customer of said providers should be given VPN credentials to access the network the database is on. That way the connection traffic is all encrypted, also.
Unpatched my ass (Score:4, Insightful)
Slashdot does it again with quality reporting. From the very first paragraph of the MS advisory [microsoft.com]:
"Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue."
So it's "unpatched", unless you installed the service pack. First rate reporting here.
Re: (Score:1, Insightful)
SQL 2005 SP3 has only been out for 10 days and not a lot of people are running 2008 yet, so really it's only going to be 2000 that's most likely service-packed across the board.
Re: (Score:2)
Utter bullshit.
SQL Server 2005 Service Pack 3:
Date Published: 10/27/2008
That's more like two months.
Re: (Score:2)
Well, it seems it was only CTP and not production ready.
I stand corrected.
Linux (Score:2, Funny)
Re: (Score:2)
Linux is built by titanium-skinned gods that were trained by magical ninja fairies.
I, for one, welcome our metal-god-educated-mystical-assassin-fairy overlords.
Re: (Score:1)
I bet Chuck Norris would be scared ...
Unpatched (Score:4, Informative)
Re: (Score:2, Informative)
SP3 was released on 15-Dec:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ae7387c3-348c-4faa-8ae5-949fdfbe59c4&displaylang=en [microsoft.com]
Re: (Score:1)
That is incorrect: http://blogs.technet.com/dataplatforminsider/archive/2008/12/10/sql-server-2005-sp3-now-available-for-download.aspx [technet.com].
Re: (Score:2)
Re: (Score:2)
A good advice if you're a developer or an administrator in a MS shop is to read MSDN blogs of the teams for those products you're using. They tend to announce all the new stuff (not just new releases, but also SPs and even bugfixes) ahead of everyone else - a couple of times I've seen a post in the blog feed with links to an MS security advisory or a KB article which didn't exist yet (but popped into existence in an hour or so).
Way to drag your feet, Microsoft (Score:3, Insightful)
Zero-day? Hardly. Microsoft has known about this vulnerability for quite a while. From the Sec-Consult group who first put out its advisory two weeks ago--the same time that the IE7 vulnerability came out:
20081209_mssql-sp_replwritetovarbin_memwrite.txt [sec-consult.com]
Why is Microsoft dragging their feet in releasing the patch?
I've got a solution (Score:2)
Re: (Score:2)
All that patch does is disable 95% of the features...you can do that without downloading anything.
Two sites I visit... (Score:2)
Hardly a huge deal (Score:1)