Don't Be SQL Server Slammed This Holiday
|
News Analysis. Microsoft has warned of a zero-day vulnerability affecting SQL Server. Do take Microsoft's security advisory seriously. |
Remember SQL Server slammer, which struck nearly six years ago? IT administrators were lucky the worm spread a month after Christmas. The new SQL Server vulnerability could bring coal to your Christmas stocking, if left untended.
Late last night, I saw a blog post by Bill Sisk on the Microsoft Security Response Center Weblog about Security Advisory 961040. He writes:
We are aware that exploit code has been published on the Internet; however, we are not aware of any attacks attempting to use the reported vulnerability. To successfully exploit this vulnerability an attacker must be local, or remote, authenticated user on the system. However, if an attacker has already compromised a web server via SQL injection, they could exploit this vulnerability as an unauthenticated user.
"SQL injection" sends prickles down my spine. No IT manager would want the company's Web-facing SQL Server installation injected and infected for Christmas, right? Attackers must be "authenticated" to compromise a system, which could be done through SQL injection. Microsoft Security Vulnerability Research and Defense bloggers Jonathan Ness and Bruce Dang explain in a post:
If an attacker finds a SQL injection vulnerability in the web application connected to your database, he could combine the SQL injection vulnerability with this vulnerability and run code 'without authenticating.' Technically, the attacker did authenticate—he just used your compromised web application to authenticate for him. Of course, if an attacker does compromise your web application using SQL injection, he can take a number of actions anyway.
Companies with older software are in the riskiest position, particularly if they haven't updated to the newest service packs. Bill explains:
It's important to note that systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 SP3 and Microsoft SQL Server 2008 are not affected by this issue. Also, because, by default, Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) and SQL Server 2005 Express do not allow remote connections, attackers would have to already have local access to machines running MSDE 2000 and SQL Server 2005 Express to exploit this vulnerability.
Bill, please be absolutely right about MSDE 2000. That beast still fills me with fright. When SQL Server Slammer struck in early 2003, the surprising attack vector came through MSDE 2000. Many IT organizations, even Microsoft's, got whacked on the desktop rather than on the server. They had patched SQL Server installations long before Slammer released. But desktop applications running MSDE weren't patched, unexpectedly spreading Slammer.
There's still plenty of risk, as Jonathan and Bruce explain:
Remember our October advisory and blog post about service isolation? That vulnerability allowed an attacker to escalate from code running as NetworkService to LocalSystem. Unfortunately, this SQL vulnerability allows any user logged on to a machine running SQL Express to escalate to SYSTEM by leveraging the SQL vulnerability to get to NetworkService and then the service isolation vulnerability to get to SYSTEM.
Now you can worry. The major workaround is to "deny permissions on the sp_replwritetovarbin extended stored procedure," according to the security advisory. I won't repeat the workaround, which is simply done and explained in the security advisory.
What's the impact of using this workaround? According to the security advisory:
Disabling the sp_replwritetovarbin extended stored procedure prevents updates to subscription tables by all users. The impact of this workaround only affects customers that use transactional replication with updatable subscriptions. Customers using transactional replication with read-only subscriptions, bi-directional transactional replication, or peer-to-peer transactional replication are not impacted.
Way I see it, the bigger risk isn't the vulnerability but the timing. Many organizations will be shutting down for the holidays starting Wednesday. While I alluded to Slammer (to scare you), this exploit isn't like the one that unleashed in Jan. 2003 attacks. But there is risk, because many organizations won't be closely monitoring operations over the next few days.
Microsoft will be watching. It's standard procedure for security teams to be on call during the holidays, just in case there is a major vulnerability requiring investigation and creation of a patch.
[Please send your tips or rumors to watchtips at live.com].
Comments (10)
And don't be slammed by Apple 10.5.6 update which has rendered many Mac's useless even requiring a 56 MB update for Mail alone to start working again.
Posted by Andre Da Costa | December 23, 2008 7:35 PM
According to SEC, this bug was discovered in April, Microsoft said they fixed it in September, but have still not released a patch.
They made it public on the 9th of December after hearing nothing from Microsoft for 3 months. Microsoft then waited nearly 2 weeks before telling its customers they might want to be careful.
http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt
That's Microsoft security for you!
Posted by billybob | December 23, 2008 8:07 PM
@Andre, let me quote a little line for you:
"This can occur if Software Update attempts to install an update that was only partially downloaded."
(support.apple.com/kb/TS2383)
Now if you download the partially downloaded update again you should have no problem. On the other hand if you download SQL Server again, you'll still be susceptible to the vulnerability.
Posted by Gerardo Tasistro | December 23, 2008 9:15 PM
The scary thing is how many software packages now silently install SQL Server Express as their database, so many home computers have this vulnerability without even knowing it. People see windows update and/or news articles and assume it doesn't apply to them. But in the Windows world there is a lot of SQL Server installed out there.
Posted by smist08 | December 24, 2008 11:26 AM
Quote Andre "And don't be slammed by Apple 10.5.6 update which has rendered many Mac's useless even requiring a 56 MB update for Mail alone to start working again."
-
I rendered my PC useless once.
I quickly resolved the issue by removing Vista.
-
In all seriousness Andre, why do you bother? Heres the routine:
1. Andre posts a remark making a claim.
2. The post is challenged and questioned/disproved.
3. Andre simply ignores and moves on.
-
You can apply this to most of Andres posts. Infact the only time we see a modicum of "real person" and not MS PR sheet is when Andre decides to have a tantrum over one of Joes articles, after he's got that out of his system he's gone again, only to return with more copy and paste PR from MS.
-
Andre, in 2009 you should consider applying for a job with Canonical. Your posts have done more for open source than they have for MS. Unfortunately you are the only one not to notice this.
-
Merry xmas Andre. Send Ballmer my love.
Posted by Goblin | December 24, 2008 6:11 PM
Good advice!
Posted by steveballmer | December 26, 2008 6:00 PM
Goblin, your three points are the standard MO for nearly all Microshills, it seems. I've run into others besides Andre on the web, and I've long since learned that trying to have any intelligent conversation or debate with a true Microshill is like talking to a wall plastered with PR sheets and the occasional derogatory graffiti.
Posted by Will | December 27, 2008 11:35 PM
@Will
Hi!
Yeah, I agree, although let me tell you a story. When I first came here, I really didnt believe people would stoop to such low levels just for the sake of a buck. It wasnt until I saw first hand that I believed it. I believe there are many readers on this site who will be the same. My list of points are probably repetition for most people, however I would hope there are a few new people who may keep it in mind in the future.
-
This is why I believe posters such as Andre et al do so much damage to the MS cause, just as MS doesnt seem to notice its unpopularity, the shill posters dont seem to see that by posting their unethical propaganda they simply provide a platform for alternatives to be highlighted.
-
Ive said before the alternatives message would be alot harder to showcase if it wasnt for the shill posters.
-
Over on the other thread we've had another typical shill MO. The term "Linux fanboy" I always get a laugh out of that, because the "fanboy" concept is so alien to a shill poster they cannot understand why anyone would want to rave about a product without there being a financial reward in it for them. This really to me says it all, what better advert for an alternative is there, when people post about a honest held love for Linux and they dont get paid to do it!
-
Nice speaking with you Will.
Posted by Goblin | December 28, 2008 7:20 AM
You know, your last post brought something to mind. Seems like, after seeing one of Ballmer's stage performances, someone trying to throw around the "fanboy" term to discredit is another case of "pot... kettle... black..."
Posted by Will | December 28, 2008 5:30 PM
@Will
LOL, I never thought of that!
-
Mind you for his salary, even Id probably jump around the stage! Although since I work-out I probably wouldnt sweat as much.
Posted by Goblin | December 28, 2008 6:21 PM