Security Corner

Dec 24 2008   4:43PM GMT

Microsoft Releases Security Advisory (961040)

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft’s latest Security Advisory (961040) covers a vulnerability in SQL Server that could allow remote code execution:

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

Exploit code has been published on the Internet, but Microsoft states that it’s not aware of any active exploits or customer impact at this time. One mitigating factor is that this vulnerability is not exposed anonymously–an attacker would need to authenticate in order to take advantage of the flaw, thus leaving evidence for investigators.

Microsoft has issued tested workarounds for the affected versions. While they don’t repair the underlying vulnerablity, they effectively block the known attack vectors

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: