Microsoft SQL Server Vulnerability Discovered

Within a few days after plugging a critical security hole in Internet Explorer, Microsoft has confirmed the existence of potential security threat in its business class SQL Server database software.

The software giant issued security advisory on Monday evening, asserting that the vulnerability could be exploited to run malicious software on systems with versions of Microsoft SQL 2000 and Microsoft SQL 2005.

In addition to these versions the vulnerability could also affect Microsoft SQL 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), and Windows Internal Database.

However, SQL Server 2008, SQL Server 7.0 Service Pack 4, and SQL Server 2005 Service Pack 3 are found to be unaffected from the flaw, Microsoft added.

The attack code that exploits the vulnerability has been published in the security advisory, but the company said that it has not observed the use of this code in launching online attacks.

Discussing the methods of exploiting the vulnerability, Microsoft wrote in its security bulletin, “This vulnerability is not exposed anonymously. An attacker would need to either authenticate to exploit the vulnerability or take advantage of a SQL injection vulnerability in a Web application that is able to authenticate”.

Microsoft avowed that it is investigating the issue continuously, and will provide the security patch, if required, either in the form of special download, or as part of its famous “Patch Tuesday” cycle.

Go To Page 2 for our comments and more related links

Our Comments

This is a serious bug and couldn't happen at a worse time. Many businesses will be closing for the next two weeks and the next "Patch Tuesday" will happen on the 6th of January 2009. In the meantime, expect cyber criminals to work overtime to try to exploit the weakness while businesses are off.

Related Links

Microsoft confirms SQL Server vulnerable to injection attacks

(TG Daily)

Microsoft Confirms New SQL Server Threat

(Information Week)

Microsoft Warns of SQL Attack

(PC World)

Microsoft warns of SQL Server vulnerability

(CNet)

Microsoft acknowledges a long-standing SQL Server flaw

(Beta News)

MS-SQL Injection Flaw Exploit Code Surfaces

(Enterprise IT Planet)

SQL Injection Hits Amid the Holidays

(Redmond Developer)

Microsoft warns of critical bug in SQL Server

(Computer World)