NormCameron
Vista Guru
Probably of no interest to anybody here, but who knows. Just in case
"Microsoft issued an advisory late Monday warning of publicly available code that could be used to target an unpatched vulnerability in SQL Server.
In its advisory, the software giant warned of an authenticated remote code execution vulnerability in the MS SQL extended stored procedure. The issue causes an invalid parameter check opening a hole for an attack.
"All systems running one of the affected Microsoft SQL Server software where a malicious user is allowed to log on are at risk of exploitation of this vulnerability," Microsoft said. "In addition, Web applications with a SQL Server back-end database are at risk if a SQL injection vulnerability exists."
An attacker can exploit the flaw remotely as an authenticated user on the system, said Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC). However, attackers could exploit the vulnerability as an unauthenticated user if they compromise a Web server via SQL injection, Sisk said.
The critical vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 and WMSDE) and Windows Internal Database (WYukon).
"We are aware that exploit code has been published on the Internet, however, we are not aware of any attacks attempting to use the reported vulnerability," Sisk said on the MSRC blog.
As a workaround, Microsoft is advising customers to deny access to the sp_replwritetovarbin stored procedure. Microsoft said the affected stored procedure will have no impact for the majority of its custo
Bernhard Mueller, a security consultant with SEC Consult, discovered the flaw earlier this month. He issued a T-SQL script to test for the vulnerability. In his advisory, Mueller said he received an email from Microsoft in September explaining that a fix for the vulnerability had been completed. So far, Microsoft has not ruled out an out-of-cycle patch release.
"By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location," Mueller said in his advisory. "
Microsoft warns of SQL Server zero-day
"Microsoft issued an advisory late Monday warning of publicly available code that could be used to target an unpatched vulnerability in SQL Server.
In its advisory, the software giant warned of an authenticated remote code execution vulnerability in the MS SQL extended stored procedure. The issue causes an invalid parameter check opening a hole for an attack.
"All systems running one of the affected Microsoft SQL Server software where a malicious user is allowed to log on are at risk of exploitation of this vulnerability," Microsoft said. "In addition, Web applications with a SQL Server back-end database are at risk if a SQL injection vulnerability exists."
An attacker can exploit the flaw remotely as an authenticated user on the system, said Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC). However, attackers could exploit the vulnerability as an unauthenticated user if they compromise a Web server via SQL injection, Sisk said.
The critical vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 and WMSDE) and Windows Internal Database (WYukon).
"We are aware that exploit code has been published on the Internet, however, we are not aware of any attacks attempting to use the reported vulnerability," Sisk said on the MSRC blog.
As a workaround, Microsoft is advising customers to deny access to the sp_replwritetovarbin stored procedure. Microsoft said the affected stored procedure will have no impact for the majority of its custo
Bernhard Mueller, a security consultant with SEC Consult, discovered the flaw earlier this month. He issued a T-SQL script to test for the vulnerability. In his advisory, Mueller said he received an email from Microsoft in September explaining that a fix for the vulnerability had been completed. So far, Microsoft has not ruled out an out-of-cycle patch release.
"By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location," Mueller said in his advisory. "
Microsoft warns of SQL Server zero-day
My Computer
System One
-
- Manufacturer/Model
- Scratch Built
- CPU
- Intel Quad Core 6600
- Motherboard
- Asus P5B
- Memory
- 4096 MB Xtreme-Dark 800mhz
- Graphics card(s)
- Zotac Amp Edition 8800GT - 512MB DDR3, O/C 700mhz
- Monitor(s) Displays
- Samsung 206BW
- Screen Resolution
- 1680 X 1024
- Hard Drives
- 4 X Samsung 500GB 7200rpm Serial ATA-II HDD w. 16MB Cache .
- PSU
- 550 w
- Case
- Thermaltake
- Cooling
- 3 x octua NF-S12-1200 - 120mm 1200RPM Sound Optimised Fans
- Mouse
- Targus
- Keyboard
- Microsoft
- Internet Speed
- 1500kbs
- Other Info
- Self built.