Microsoft is currently investigating what appears to be a rather worrying remotely executable exploit for its SQL Server database product, similar to that which spawned the Slammer worm back in 2003.
posted to the company's TechNet site on Monday gave details of an investigation into “new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (Wyukon).
According to CNet
the flaw being scrutinised is the same as was published
by Bernhard Mueller of the SEC Consult Vulnerability Lab on the 4th of December. In the vulnerability disclosure Mueller reveals that Microsoft has known about the issue since April this year, and has a fix which “has been completed[, but] the release schedule for this fix is currently unknown.
It's something Microsoft will be wanting to get out of the door as soon as possible: Mueller included test exploit code as part of his disclosure, which makes things a lot easier for an attacker to start to hunt down vulnerable systems. Thankfully, the issue is somewhat mitigated by the presence of an unofficial workaround: as a database administrator, execute the SQL statement “execute dbo.sp_dropextendedproc 'sp_replwritetovarbin'
” to block the hole.
With similar remotely executable holes in Microsoft's SQL server being used to spread rather nasty worms in the past, the company will no doubt be hoping that it can get a patch tested and made available before something really
nasty gets through.
Do we have any database admins reading who are sick of the number of security bulletins Microsoft seems to issue for SQL Server, or is it the best of a bad bunch? Share your thoughts over in the forums