Microsoft is investigating new public reports of a vulnerability that could allow remote-code execution on systems with supported editions of its Microsoft SQL Server products.
Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine, and Windows Internal Database are affected. Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.
"Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory," Microsoft said in its security advisory. "Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time."
Alerting All Database Admins
According to Wolfgang Kandek, CTO of Qualys, the vulnerability in Microsoft's SQL Server product is highly critical. Database administrators, he said, should immediately review and implement the workarounds Microsoft offered as soon as possible.
"MS SQL Server is a highly popular product as we have seen in April of this year, when [an] SQL-Injection vulnerability that specifically targeted MS SQL Server-driven Web sites was used to redirect users to Web sites serving malware," Kandek said. "The effects of this attack are still out on the Internet, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit-free state."
Kandek said the potential exists for private data leakage, as well as major disruptions in critical Microsoft SQL-driven applications, such as e-commerce and HR. On the positive side, Qualys believes companies have aggressively firewalled off their Microsoft SQL Server from being accessible directly on the Internet after the traumatic Slammer worm in 2003. That, Kandek said, should provide some protection from direct attacks.
However, he added, a smart attacker can easily pair this exploit with another attack mechanism, such as phishing, to get behind the corporate firewalls and then attack all accessible MS SQL Server installations.
Microsoft said its investigation of this exploit code has verified that it does not affect systems that have had the suggested workarounds applied.
For example, the vulnerability is not exposed anonymously. According to Microsoft, an attacker would need to either authenticate to exploit the vulnerability or take advantage of an SQL injection vulnerability in a Web application that it is able to authenticate.
By default, MSDE 2000 and SQL Server 2005 Express do not allow remote connections. An authenticated attacker would need to initiate the attack locally to exploit the vulnerability. Microsoft said it is not aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express that would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary.
"We expect that Microsoft is currently working on [a] patch and will release it out of band. Differently from the recent release of the Internet Explorer patch, the deployment will be slow," Kandek said. "MS SQL is part of the core server infrastructure of many enterprise companies and is subject to lengthy patch and testing cycles before any such fix can be deployed."