The patch release from Microsoft this month is going to be a little light. The software behemoth said there is a single patch planned for January, addressing a remote code execution vulnerability. What happened to a planned patch for the SQL flaw discovered shortly after the December update?
Microsft to release single patch this month. (IMG:Microsoft)
Sadly, Microsoft is starting the year one step behind. Word of the vulnerability, as well as working code to take advantage of it, came to light just after the final round of patches for 2008. Attackers now have another 30 days to exploit the flaw, discovered some time ago by SEC Consulting.
The attack works, by calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location. Depending on the underlying Windows version, it is [may be] possible to use this vulnerability to execute arbitrary code in the context of the vulnerable SQL server process, the advisory from SEC Consulting said.
In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone, the advisory continued. The vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application. This vulnerability has been confirmed on SQL Server 2000/2005.
The fact that SQL Injections (SQLi) are available for this vulnerability is what makes security people sit up and take notice. SQLi has been used countless times in the last 12 months to target online systems with the ultimate goal of spreading Malware.
At the time the flaw was discovered, Wolfgang Kandek, the CTO of Qualys, told The Tech Herald:
MS SQL-Server is a highly popular product as we have seen in April of this year, when a SQL-Injection vulnerability that specifically targeted MS-SQL server driven Web sites was used to redirect users to Web sites serving Malware. The effects of this attack are still out on the Internet, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit free state.
While Kandek believes that most companies have firewalled off access to MSSQL there are still some who have not, and criminals can be crafty.
...a smart attacker can easily pair this exploit with another attack mechanism such as Phishing to get behind the corporate firewalls and then attack all accessible MS SQL server installations.
The patch offered this month from Microsoft is listed as 'Critical' on every operating system platform aside from Server 2008 and Windows Vista, where the issue is listed as 'Moderate'. However, the core installation of Server 2008 is affected by the issue the company is patching.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)