Posted by: Bcournoyer
Internet Information Services, Security, SQL Server
Microsoft is actively working on patching a critical flaw affecting three versions of Internet Information Services (IIS) that was discovered earlier this week. Another vulnerability affecting SQL Server, however, isn’t getting so much love.
First, the IIS flaw. As reported by Computerword, the company issued an advisory for the flaw on Tuesday, which affects IIS versions 5.0, 5.1 and 6.0. The report states the following:
The bug is in the file transfer protocol (FTP) server included in IIS. The FTP server fails to properly parse specially-crafted directory names, which hackers can leverage to force a stack buffer overflow and then inject their own malicious code onto the Web server.
It’s unlikely that a fix will be released in time for this month’s Patch Tuesday bundle (translation: not gonna happen). The exact timeframe is a little fuzzy, as in Microsoft’s words the patch won’t be available until it “has reached an appropriate level of quality for broad distribution.” So take that for what it’s worth.
Microsoft’s Security Research and Defense blog has more information, and outlines some temporary workarounds for the time being.
The company was also less than thrilled with the way they found out about the flaw, which was posted late Monday on milw0rm.com. A Microsoft spokesman noted that the company feels it’s in everyone’s best interest that flaws like these are reported directly to the vendor.
So naturally, when Microsoft was notified of a different flaw affecting SQL Server, they decided not to provide a patch for it. Now the flaw in question was discovered by Sentrigo Inc. about a year ago, so the fact that news of it came out this week is sort of ironic timing.
Here is how SearchSecurity.com breaks it down:
The vulnerability enables administrators to see unencrypted credentials in SQL Server process memory using tools that are readily available to database administrators. Administrator privileges are required to dump system memory, and in most organizations more than one individual has admin privileges. Applications also often run with administrator permissions and if those apps are vulnerable to SQL injections, those attacks could expose passwords.
Doesn’t sound so great, right? Well since admin rights are required to take advantage of the flaw, Microsoft deemed it not patch-worthy, instead citing that enterprises should implement the appropriate security measures.
This actually sounds pretty reasonable, but Sentrigo argued that people often use the same passwords for multiple apps and personal accounts. Therefore, admins could potentially see passwords that are also used for bank accounts and other personal data. Also, if a hacker were to breach the system, that information would be exposed to the attacker as well.
Fortunately, Sentrigo developed a free utility that will wipe these passwords from memory. The flaw affects SQL Server 2000, 2005 and 2008, though those running 2008 are better protected due to security enhancements included with the system.