Get Smart about Business Spending
Microsoft warns of SQL Server vulnerability
Microsoft issued an advisory late Monday confirming a remote code execution vulnerability affecting its SQL Server line.
The vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).
Not affected by this issue, Microsoft said, are systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008.
From Microsoft's advisory:
Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary.
Microsoft said it was unaware of any active attacks utilizing the exploit code.
The advisory comes less than a week after Microsoft released a critical security patch to plug vulnerabilities in Internet Explorer amid malicious attackers taking advantage of the security flaws.
Steven Musil is the night news editor at CNET News. Before joining CNET News in 2000, Steven spent 10 years at various Bay Area newspapers. E-mail Steven. 
I hope this brings the Apple cult back down to reality.
I hope this brings the Apple cult back down to reality."
To bad Apple didn't have a professional like you on the beta testing team. Anyway our reality is back up on top, where it belongs:
http://www.macworld.com/article/137717/2008/12/mailupdate.html?lsrc=rss_main
...and MySQL would be the winner here (but then, Oracle rocks as well - if it weren't so expensive).
/P
Well, I am ready for them with the sporadic crashes that Mail in 10.5.6 is experiencing.
-------------------------------------------------------------------------
Dude, bull plop doesn't look attractive on you. I'm actually running 10.5.6 right now, without issue. Mail is rock solid, as is Safari, Firefox, iChat, iCal, Screen Sharing, Terminal and Parallels (only there to test a GUI interface that's currently winblows only). They've all been running for days without a single crash, on a Mini even.
(Why Safari AND Firefox? Because I have restrictions on Safari like a script blocker and an ad blocker that I'm not running on Firefox. Safari is my primary browser here, with Firefox only used when the script blocker gets in my way.)
http://www.macworld.com/article/137717/2008/12/mailupdate.html?lsrc=rss_main
My bad. The good news is Apple has a fix, assuming you actually are running 10.5.6 and are suffering the Mail crash problem.
Break the wedge!
www.breakthewedge.com
Yes and No. You cannot completely isolate an SQL server if a website depends on it... and if you have a dynamic website (or dynamic content), you have to have it connect to the DB somehow.
There are ways to secure your database, even if it faces the world at large. MySQL had managed to do very well in this aspect for a very long time, and Oracle has been solid in this aspect as well (in spite of Oracle's irritating habit of taking forever to release a patch).
OTOH, Blaster managed to blow through literally hundreds of thousands of MSSQL installations online in less than a few hours... fortunately for MSFT and the end-users who had to rely on the product, Blaster wasn't all that destructive.
I just hope for Microsoft's sake that this doesn't turn out to be anything near as rapid as Blaster was, because I suspect that this go 'round, there's likely to be a destructive payload.
/P
BTW, when are you going to backup your lie where "any 13-year-old in Eastern Europe can write a script" to hack windows? How come they didn't do it at the last hackers pawn to own competition? Why don't you just admit that you were spewing BS?
Yes and no (again)... it all depends on how the server(s) is(are) set up. If you dual-NIC it, then yes it can be (which is why I wrote "There are ways to secure your database, even if it faces the world at large"). But, doing that on a hosted server isn't exactly going to be easy (meanwhile a LAMP server can have the whole wad sitting right there in public, with only PHP to worry about). Also, it isn't always practical (or sometimes even workable) to take that route (depending on how the site is written).
As for this alleged "lie" you harp on, what have you been smoking? I've seen distortions before, but if you have to take a generalization and call that a "lie", you have bigger problems with participating in this debate than merely using bad logic. ;)
If you don't want people to take you at your word... well... I don't know. He's just asking you to back up your claim that you made previously here on CNET. It wasn't a generaliization back then- you were quite specific
As to securing the databases, so far SQL Server 2005 fared better than MySQL 5.x and Oracle 10g (all released in 2003).
Oracle: http://secunia.com/advisories/product/3387/?task=statistics
MySQL: http://secunia.com/advisories/product/8355/?task=statistics
SQL Sever: http://secunia.com/advisories/product/6782/?task=statistics
One only needs a license, once you put the database into production, so if you are new and need a year to learn it, no need to worry about it expiring, like it will with MS.
MySQL is cool too.
Quite opposite to Oracle's claims their database is far from being unbreakable, critical patches are coming out every three months and if you haven't run into any Oracle bug during development, you hardly developed anything useful on Oracle.
Running Microsoft software (aka "the I.T. Managers Full Employment Act") means never having to say "I was just laid off".
You can isolate the SQL server so that it only responds to the server hosting the web site and your management station. Of course, that just shifts the security issue to those units, but that's all part of the game.
Recent reports of what Sun is doing to MySQL are not heartening. MySQL's best days may be in its past, not its future. The sky isn't falling yet, of course.
Remember that the vulnerability that Blaster exploited was patched long before the worm itself was released. Blaster (should have) trained admins to patch their software and treat all Internet-based and most local-based traffic as the enemy.
If an install of the effected versions was modified from default to accept remote connections or allow untrusted user access or have a pre-existing SQL Injection vulnerability you've had issues prior to this exploit notice.
If you don't know what sp_replwritetovarbin does, then you're probably not using it so disabling it won't effect you.
- by adrottenberg December 23, 2008 7:09 PM PST
- According to the MS article this only affects sites that are already vulnerable to SQL Injection. Any site that's not protected against SQL injection is relying on pure luck, they can be wiped out any day by an attacker.
- Reply to this comment
-
(25 Comments)SQL Server 2005 has not until now had a single vulnerability reported. It's already more than 3 years after it shipped.