Microsoft confirms presence of new vulnerability in SQL Server
Posted: December 29th, 2008 | Tags: Security, Vulnerabilities |Microsoft company has confirmed existence of new potentially serious threat of security for users of its databases SQL Server. Vulnerability is detected in one of procedures of duplicating of tables of subscription which under certain conditions can lead to remote performance of a code. However while Microsoft did not hear, that someone used this hole in protection or that someone from users has suffered from it.
The company has told about presence of vulnerability last Monday. The hole in protection is linked to “incorrect check of parametres” in procedure “sp_replwritetovarbin”, used for duplicating of tables of subscription for users. According to Microsoft vulnerability can lead to remote performance of a code for users of various versions of Microsoft SQL Server into which list have not entered only Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3 and Microsoft SQL Server 2008 which, according to the company, are not subject to this danger. Besides, for usage of this vulnerability attacking it is necessary or authentificate, or to use advantages of vulnerability “SQL injections” which leads to authentification. Also, MSDE 2000 and SQL Server 2005 Express by default do not resolve ras connections. Therefore for usage of this vulnerability on these systems attacking it is required to initiate locally explot.
Now the question still is researched by the company by results of what she has promised to accept “suitable operation”, to protect the users. However while Microsoft has only offered a solution technique, allowing to lock attack, but, however, not eliminating a problem absolutely. The method consists in prohibition of performance of procedure “sp_replwritetovarbin” that as a result will pour out for lack of upgrades of tables for “refreshed subscriptions” (updatable subscriptions).
Leave a Reply