Warning about serious vulnerabilities in SQL Server
Microsoft has announced yesterday that an attack code has been issued aimed at a serious vulnerability in previous versions of its SQL Server database software, besides Microsoft. It also advises users to use this temporary solution.
This security error was first reported to Microsoft in April 2008 by an Austrian security consulting company called SEC Consult. However, the company says it can't wait for Microsoft to decide when to release the patch and has revealed the flaw in the past two weeks with the release of proof-of-concept exploit code.
According to SEC Consult, Microsoft may already have a patch ready in the last three months but has not released a patch yet.
On Microsoft, in a security advisory released on Monday, Microsoft also said that systems running SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, and SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) can be exploited and controlled by hackers.
This error has been detected in the SQL Server "sp_replwritetovarbin" extension stored procedure.
However, recent versions of this popular software, used for many Web sites to provide more power to their back-end databases, are not attacked. These versions include SQL Server 7.0 Service Pack 4 (SP4), SQL Server 2005 SP3 and SQL Server 2008. The latest, most recent version of this product line has been released to manufacturers from the end. August.
As the previous moves, Microsoft has taken actions to reduce their losses. 'We already know the exploit code is published on the Internet. Still, it has not been seen about any attacks trying to use the reported vulnerability, 'said company spokesman Bill Sisk in an email Monday.
Attackers can exploit this vulnerability remotely if they are able to increase access to the server through SQL injection attacks on the Web application on the system, Sisk said.
SQL injection attacks were successful; Hackers have taken control to compromise a large number of sites, even famous commercial domain names, with such attacks. Thousands of legitimate sites have been hacked through SQL injection attacks in recent weeks by criminal organizations, after which hackers have plugged fake code into their pages and attacked visitors. Use Internet Explorer (IE). In this security flaw, Microsoft blocked the flaw in IE last Wednesday with a second emergency patch within two months.
Microsoft has said that refusing the terms for the "sp_replwritetovarbin" extension stored procedures will create a vulnerability for the system, and also provide instructions on how to implement against attacks. this.
However, Sisk did not commit a fix or a timeline to the fix, but he proved - 'Microsoft will continue to study the flaw and proceed to finalize this research, in the process. Research, the company will take appropriate actions' - typical instructions at some point for the patch.
However, SEC Consult has made claims to Microsoft to complete the revision in September.
The Vienna-based company published the vulnerability in 9.12 through a published information, along with a sample attack code in an advisory section on their site, as well as several secure mailing lists: Bugtraq and Full Disclosure.
Also in this disclosure, SEC Consult said that it was announced by Microsoft in September via a mail that the patch has been completed. However, 'The release schedule for this fix has not been announced'.
This Austrian security company also included a timeline reflecting communication between the company and Microsoft. At that time table, SEC Consult reported this vulnerability to Microsoft on April 17, 2008 and the most recent response from Microsoft was on September 29. Four times since then 14.10, 29.10, 12.11 and 28.11 - SEC Consult questioned Microsoft about the patch upgrade but never received feedback from Microsoft.
Microsoft did not respond to SEC Consult's questions about the availability of its patch and timeline.
You should read it
- Chrome and Firefox have a serious security flaw, there is no way to fix it
- Firefox 56 released with a new screen capture, settings panel
- How to enable Tor features in Firefox increases security when browsing the web
- Summarizing the Pwn2Own 2019: Safari, VirtualBox was 'pierced' on the first day, Firefox, Edge on the second day and Tesla Model 3 'closed the window'
- Download Firefox 58 for Windows, Mac and Linux
- Firefox 16 was released again after updating the vulnerability patch
- Microsoft urgently fixes SQL Server errors
- The unsafe 'feature' on UC Browser allows hackers to take control of Android phones remotely
May be interested
- How hackers steal 9 million USD from ATM in 1 hourcisco security experts explained the entire process that bad guys apply to withdraw the money with just over 100 real cards.
- Unique tricks to steal money from ATMsthe vault in the middle of the street always elicits greed of bad guys and makes them find countless ways to withdraw, from using modern equipment, music players to bulldozers to picking up atms.
- 5 tips for 'fishing' money onlineinternet crimes have been dubbed online magicians because they have thousands of moves to exploit the users' beliefs and innocence, especially taking advantage of blogging relationships.
- Twitter was cut down by 17-year-old hackerin just two weekends, twitter's 'microblogging' was knocked down twice by a young man living in brooklyn. the boy said he did so to alert twitter to patch the vulnerability
- Hackers: Crime and punishmentgather 10 cases of hackers around the world to see how severe the penalties are compared to the crimes committed by them
- Russian Hacker performs a new attack tacticrussian hacker has stolen personal information in the us, combined with commercial software and social networks to organize destructive attacks on the internet.