Comments on: Microsoft warns of SQL Server vulnerability

Software giant issues an advisory that it is investigating a remote code execution vulnerability affecting its SQL Server line.

[8301]

Cue the fanboy Mac vs. PC squabble in 3... 2... 1...

[Clarious]

It is about MS SQL server, you should expect Linux vs Windows.

[Mr. Dee]

Well, I am ready for them with the sporadic crashes that Mail in 10.5.6 is experiencing. Its quite obvious that Steve Jobs was not involved in the beta testing process for 10.5.6

I hope this brings the Apple cult back down to reality.

[Perry_Clease]

"Well, I am ready for them with the sporadic crashes that Mail in 10.5.6 is experiencing. Its quite obvious that Steve Jobs was not involved in the beta testing process for 10.5.6

I hope this brings the Apple cult back down to reality."

To bad Apple didn't have a professional like you on the beta testing team. Anyway our reality is back up on top, where it belongs:

http://www.macworld.com/article/137717/2008/12/mailupdate.html?lsrc=rss_main

[Penguinisto]

Actually, that would be "MS SQL vs. MySQL vs. Oracle".

...and MySQL would be the winner here (but then, Oracle rocks as well - if it weren't so expensive).

/P

[Dalkorian]

by Mr. Dee December 22, 2008 8:56 PM PST
Well, I am ready for them with the sporadic crashes that Mail in 10.5.6 is experiencing.
-------------------------------------------------------------------------
Dude, bull plop doesn't look attractive on you. I'm actually running 10.5.6 right now, without issue. Mail is rock solid, as is Safari, Firefox, iChat, iCal, Screen Sharing, Terminal and Parallels (only there to test a GUI interface that's currently winblows only). They've all been running for days without a single crash, on a Mini even.

(Why Safari AND Firefox? Because I have restrictions on Safari like a script blocker and an ad blocker that I'm not running on Firefox. Safari is my primary browser here, with Firefox only used when the script blocker gets in my way.)

[Dalkorian]

Mr. Dee, it appears I owe you an apology. Honestly, I hadn't heard of this issue yet - I just ran across it:

http://www.macworld.com/article/137717/2008/12/mailupdate.html?lsrc=rss_main

My bad. The good news is Apple has a fix, assuming you actually are running 10.5.6 and are suffering the Mail crash problem.

[Mr. Dee]

Couldn't you have put the non-affected versions of SQL in a separate paragraph?

[SpiritWater]

There's always something. The vulnerability has been around since 1998 when SQL Server 7.0 came out so it doesn't seem like anyone has taken advantage of it all too much. Securing SQL Server is just one of hundreds of steps to keep malware out of ones network and systems. If a SQL Server is not exposed to the Internet and the network is locked down through firewalls, packet scanners, and anti-virus software then there's no worries.


Break the wedge!
www.breakthewedge.com

[Penguinisto]

@Spiritwater:

Yes and No. You cannot completely isolate an SQL server if a website depends on it... and if you have a dynamic website (or dynamic content), you have to have it connect to the DB somehow.

There are ways to secure your database, even if it faces the world at large. MySQL had managed to do very well in this aspect for a very long time, and Oracle has been solid in this aspect as well (in spite of Oracle's irritating habit of taking forever to release a patch).

OTOH, Blaster managed to blow through literally hundreds of thousands of MSSQL installations online in less than a few hours... fortunately for MSFT and the end-users who had to rely on the product, Blaster wasn't all that destructive.

I just hope for Microsoft's sake that this doesn't turn out to be anything near as rapid as Blaster was, because I suspect that this go 'round, there's likely to be a destructive payload.

/P

[Seaspray0]

Not quite right, Penguin. You can isolate a SQL server, even if a website depends on it. It works like this... You access the webserver, and the webserver accesses the SQL server for the content. You do not have direct access to the SQL server. The webserver makes the connection to the database, not you, and it's the webserver that defines what queries are made, not you. In other words, you have no logical contact with the SQL server period. I haven't seen the specifics of this exploit, but if you can't open a pipe to the SQL server, and you can't control the queries, there's not alot you can do.

BTW, when are you going to backup your lie where "any 13-year-old in Eastern Europe can write a script" to hack windows? How come they didn't do it at the last hackers pawn to own competition? Why don't you just admit that you were spewing BS?

[Penguinisto]

"You access the webserver, and the webserver accesses the SQL server for the content. You do not have direct access to the SQL server."

Yes and no (again)... it all depends on how the server(s) is(are) set up. If you dual-NIC it, then yes it can be (which is why I wrote "There are ways to secure your database, even if it faces the world at large"). But, doing that on a hosted server isn't exactly going to be easy (meanwhile a LAMP server can have the whole wad sitting right there in public, with only PHP to worry about). Also, it isn't always practical (or sometimes even workable) to take that route (depending on how the site is written).

As for this alleged "lie" you harp on, what have you been smoking? I've seen distortions before, but if you have to take a generalization and call that a "lie", you have bigger problems with participating in this debate than merely using bad logic. ;)

[DrtyDogg]

Wat to go sys admin or whatever you are calling yourself these days. You don't need 2 NICs to disallow internet based traffic to a SQL server.

[Vegaman_Dan]

Penguinisto: Interesting points you have made.

[Vegaman_Dan]

Also... are you going to answer Seaspray0's question about your own claim about 13 year old Eastern European kids writing windows hacking scripts? It's your own comments he refers to- you've made the claim multiple times in many of your postings.

If you don't want people to take you at your word... well... I don't know. He's just asking you to back up your claim that you made previously here on CNET. It wasn't a generaliization back then- you were quite specific

[Ice Moose]

You should spend five minutes educating yourself on the details of the reported vulnerability.

As to securing the databases, so far SQL Server 2005 fared better than MySQL 5.x and Oracle 10g (all released in 2003).
Oracle: http://secunia.com/advisories/product/3387/?task=statistics
MySQL: http://secunia.com/advisories/product/8355/?task=statistics
SQL Sever: http://secunia.com/advisories/product/6782/?task=statistics

[RompStar_420]

Oracle is great - you can download the Oracle 11G (even Enterprise version) and use it for as long as you want, no nag screens, no install keys required, does not expire, like MS SQL server after 180 days.

One only needs a license, once you put the database into production, so if you are new and need a year to learn it, no need to worry about it expiring, like it will with MS.

MySQL is cool too.

[Ice Moose]

I guess you never really used Oracle for anything. Well, you can use it as long as you want (for purely evaluation and some development), but you won't get neither patches/patch sets, nor security fixes. And forget about access to the technical articles or bug database.
Quite opposite to Oracle's claims their database is far from being unbreakable, critical patches are coming out every three months and if you haven't run into any Oracle bug during development, you hardly developed anything useful on Oracle.

[rcrusoe]

Way to go Redmond!

Running Microsoft software (aka "the I.T. Managers Full Employment Act") means never having to say "I was just laid off".

[E-Si]

@Penguinisto
You can isolate the SQL server so that it only responds to the server hosting the web site and your management station. Of course, that just shifts the security issue to those units, but that's all part of the game.

Recent reports of what Sun is doing to MySQL are not heartening. MySQL's best days may be in its past, not its future. The sky isn't falling yet, of course.

Remember that the vulnerability that Blaster exploited was patched long before the worm itself was released. Blaster (should have) trained admins to patch their software and treat all Internet-based and most local-based traffic as the enemy.

[webdev511]

Should this get some attention? Yes. Is it as critical as last week's IE, Firefox and Opera flaws? Not hardly.

If an install of the effected versions was modified from default to accept remote connections or allow untrusted user access or have a pre-existing SQL Injection vulnerability you've had issues prior to this exploit notice.

If you don't know what sp_replwritetovarbin does, then you're probably not using it so disabling it won't effect you.

Another day, another Microsoft vulnerability...or two...or three...

[Vegaman_Dan]

And another troll posting... or two, or three.

Vegaman_Dan: In a majority of similar situations you would be right. But face it, there are at least 5 major MS vulnerabilities for every 1 of all other products combined. Only losers use MS products....Friend don't let friends use MS products...Is your computer too fast? Install Vista...etc. You just can't make this stuff up.

[adrottenberg]

According to the MS article this only affects sites that are already vulnerable to SQL Injection. Any site that's not protected against SQL injection is relying on pure luck, they can be wiped out any day by an attacker.

SQL Server 2005 has not until now had a single vulnerability reported. It's already more than 3 years after it shipped.