Microsoft refuses to patch vulnerability in the SQL Server but releases advisory on remote code execution

News by Dan Raywood

A vulnerability in the Microsoft SQL Server that allows any user with administrative privileges to openly see the unencrypted passwords of other users has been detected.

A vulnerability in the Microsoft SQL Server that allows any user with administrative privileges to openly see the unencrypted passwords of other users has been detected.

Database security software provider Sentrigo claimed that it discovered the vulnerability would allow an attacker to see the credentials presented by applications accessing the server using SQL Server authentication.

The security vulnerability was found by a member of Sentrigo's Red Team, who claimed that if a user was compromised, these passwords could allow attackers to target additional systems within the organisation, as well as to access personal accounts where the user may utilise the identical password.

It claimed that organisations that are using the mixed authentication mode (also known as “SQL Server and Windows Authentication Mode”) and those using SQL Server 2000, 2005 and 2008, running on all supported Windows platforms, are vulnerable to this password exposure.

Upon making the discovery, Sentrigo claimed that it immediately alerted the MSRC team at Microsoft to the vulnerability. However, Microsoft has indicated that they do not intend to address the vulnerability at this time. Therefore Sentrigo is releasing a free software utility to allow users to protect their systems.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-3039 to this issue.

Alexander Kornbrust, CEO of Red Database Security, said: “Sentrigo followed a proper course of action, by informing the vendor first, and allowing time for a fix to be released. When it is clear that the vendor does not intend to address the issue, it is in the best interests of the entire SQL Server community to share the existence of the threat and provide an immediate solution.

“This vulnerability represents a credible threat to any organisation running SQL Server, and I recommend IT organisations review their exposure, and implement a utility like Sentrigo's to limit their risk.”

Meanwhile Microsoft has announced that it has released Security Advisory 975191, to provide customer guidance and protection from a vulnerability that could allow remote code execution on affected systems running the FTP service in Microsoft Internet Information Services (IIS) 5.0, 5.1 and 6.0, and connected to the internet.

Alan Wallace, senior communications manager at Microsoft's security response communications team, claimed that while it has seen detailed exploit code published on the internet for this vulnerability, it is not currently aware of active attacks that use this exploit code or of customer impact.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events