digg

Facebook Connect Join Digg About

Microsoft Warns of SQL Attack

pcworld.com Just days after patching a critical flaw in its Internet Explorer browser, Microsoft is now warning users of a serious bug in its SQL Server database software.

Who dugg this? Made popular Dec 24, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

185 Comments

show profanity settings
expand all
  • jggube, on 12/23/2008, -2/+106Perfect. Sys admins, your holiday break is ruined - gotta patch our SQL Server! :)
  • doom777, on 12/24/2008, -5/+63I was about to make a comment about how they are just bashing Microsoft because they are Apple/Linux fanboys, but then I RTFA'd. Microsoft was warned in APRIL. April! Now they patch it?
  • mikeophile, on 12/24/2008, -0/+39"It is rather low risk given other vulnerabilities that exist," he said via instant message. "There are a lot of better ways to currently compromise windows systems."

    IOW, the lock is kind of weak, but don't worry about that too much because of the giant hole in the wall.
  • BoneStamp, on 12/23/2008, -16/+53I like squirrels.
  • rhustang, on 12/24/2008, -0/+28i just tried switching my database to firefox and now my site isn't showing up. do i need to install a plug-in or something?
  • spdorsey, on 12/24/2008, -10/+35This is why MySQL is preferred (and it's cheaper!)
  • Rikkochet, on 12/24/2008, -2/+20Completely relevant to a story about an SQL exploit, thanks.
  • Headinawheel, on 12/24/2008, -7/+24God, what the ***** happened to Digg having a tech knowledgable demographic? Most of these comments are from retards who don't even understand the difference between what SQL and IE is.
  • darkcss, on 12/24/2008, -11/+27Internet Explorer is a piece of *****.
  • allyant, on 12/24/2008, -4/+20I don't think sys admins still running MSSQL 2000 will know how to patch it.
  • drowningfish, on 12/24/2008, -3/+19Excuse me, I did RT-*****-A. There have been no patches.

    Better yet *****-nut, here is the official tech note from Microsoft:

    http://www.microsoft.com/technet/security/advisory ...

    And here is a direct quote from TFA:

    "As with the SQL bug, this WordPad converter vulnerability has not been patched, but is a prime candidate to be fixed in Microsoft's upcoming January 13 security updates."

    Notice it mentioned ". . .SQL bug. . ." ?

    RTFA next time colon
  • aschafer324, on 12/24/2008, -0/+13Right, what a nightmare, this may take almost 2 minutes to fix:

    "The bug lies in a stored procedure called "sp_replwritetovarbin,"..

    "Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue,"

    Jeez, that might delay my eggnog run!

  • RealJimShady, on 12/24/2008, -0/+11Dude... if you think it's always the sysadmin's choice what is being run then you obviously don't work in large enterprises. It's all managers, capacity managers, and other business units that have a much larger stake in the system than you do. We only just got rid of our last NT4 boxes a few ago!
  • drowningfish, on 12/24/2008, -3/+14They released a patch? They only released a workaround, at this point, as far as I can tell.
  • inactive, on 12/24/2008, -2/+13I dont think MySQL is preferred at the enterprise level, though i could be wrong. Oracle and MSSQL probably take a very good portion.

    Dont know why Oracle has so many buyers, being the slow piece of ***** that it is.
  • ZER0JACK, on 12/24/2008, -0/+11I like squirtles.
  • maz2331, on 12/24/2008, -0/+10Uh, because if you don't patch your machine FAST you will be paying someone $200 per hour to do it for you?

    Scratch that - I forgot. A MSSQL server fix is $2k per hour - 3 hour minimum. Payable upon site departure (cash or certified funds only please), Net 30 terms available at $4k per hour, 8 hour minimum + travel + expenses. In all cases, multiply the rate times 2 if outside 8am to 5 pm M-F.

  • Headinawheel, on 12/24/2008, -1/+11Everybody knows Safari is the best tool for SQL. STFU Mozilla Fanboy.
  • inactive, on 12/24/2008, -1/+10I am going to have to redo the benchmarks that me and my roomate did a few years back. If i remember correctly, MySQL (on a minimal Gentoo install) easily held its own agains oracle (also as minimal a Gentoo install as possible) and MSSQL. I could be mistaken about the environments. The only problem with the fact that MySQL held its own is that Oracle and MSSQL were running on a Pentium 4 3.0 with 2 gigs of ram while MySQL was running on a pentium 3 with 768 megs of ram.

    Again, that was a while ago and I am not positive about everything.
  • gilbes, on 12/24/2008, -1/+10This is being blown way the ***** out of proportion.

    Any sever that is publicly available and following good security guidelines (not even 100% best practices) will not be affected. And I would hardly call this an exploit. There is more than one sp_ stored proc that could be run maliciously, and that would not be an exploit.

    On my own sever, there is only 1 account that could even run that stored proc, or any other master stored proc. And that is the admin account. To 'exploit' this, it would require the attacker to know the admin username and pass, and it has to allow that user to login remotely. None of the users that the web apps use have permissions even close to allowing a stored proc like that to run.

    If an attacker knows the admin login credentials, then the attacker finding this sp is the very ***** least of your worries as they can already do whatever the ***** they want to your system.

    While the article happens to mention this at the end, it doesn't come across like that to the casual reader. So of course you see a ***** ton of idiots here saying that MS has 0 security and blah blah blah.

    This article is another attempt to mislead with something that, while true, is not presented in its correct context.

    It is like saying, I know a couple of gay guys who use Macs. So all gay guys use Macs (except the ones who use Macs and are not gay). All people will take away from that is 'gay guys use Macs'. Its true that there has to be gay Mac users, doesn't make them all gay.
  • paulieman, on 12/24/2008, -6/+15And this surprises who?
  • inactive, on 12/24/2008, -0/+9dugg for "*****-nut".
  • inactive, on 12/24/2008, -1/+10Merry Xmas, Love Microsoft.
  • houndeyex, on 12/24/2008, -0/+9You must be nuts.
  • JedicodeWarrior, on 12/24/2008, -0/+9WTF does FireFox have to do with any of this.

    Black raspberry ice cream FTW!
  • shaunhey, on 12/24/2008, -0/+9You'd be surprised how many active installations of SQL2000 are still out there...
  • inactive, on 12/24/2008, -0/+9The pope hates you.
  • rda1441, on 12/24/2008, -0/+8Chances are pretty good at that actually.
  • rocketman42, on 12/24/2008, -0/+7From the article:

    "Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue," Microsoft said in its advisory.

    So, if you're running the latest service packs (like you should be doing), you have nothing to worry about.
  • czeman, on 12/24/2008, -1/+8The fact that they waited so long to patch it is what's in question.
  • houndeyex, on 12/24/2008, -3/+10For the enterprise level? I'm not so sure. I would love to believe it, because MySQL is the *****.
  • RealJimShady, on 12/24/2008, -7/+14Microsoft issues security bulletins/advisories every month and has done so for many years, whats with the sudden media obsession with them?
  • mrBitch, on 12/24/2008, -0/+7FTA :
    "It was publicly disclosed on December 9 by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April."
  • inactive, on 12/24/2008, -0/+6Some could say that, while others would say that Active Directory is absolutely spectacular for what one would need it for. Even though i personally find eDirectory to be better in just about every way possible, some would disagree.
  • BoneStamp, on 12/24/2008, -0/+6I guess you guys didn't have the same SQL textbook as me in college (it had curious squirrels on every page)... or maybe "I like turtles" got old since yesterday.
  • Rikkochet, on 12/24/2008, -0/+6Oh, we're still out there maintaining systems running legacy code that's ever so slowly being phased out.
  • mithrasinvictus, on 12/24/2008, -0/+5"Microsoft said that it has not yet seen this code used in online attacks." Not seeing something might just be a measure of how hard you are looking.
  • brstilson, on 12/24/2008, -5/+10This is why I use MySQL
  • Loonacy, on 12/24/2008, -0/+5Bah MSSQL, Oracle, MySQL... Who needs 'em? We use Filemaker where I work.


    Somebody hold me. :(
  • inactive, on 12/24/2008, -3/+8I personally ***** hate stored procedures, as well as just about everyone else that i know. What can they do that your regular program shouldent be doing? If you set the database up properly and use the proper views accordingly, there should be no need for stored procedures as they just place usless load on the already hammered database server.

    That is what i gathers from y 3 months of doing them in school. I could be completely in the blue and totally wrong i guess.
  • Stupidumb, on 12/24/2008, -1/+6You know, I thought my queries were giving me strange looks all day. I guess it wasn't my imagination.
  • Myztry, on 12/24/2008, -2/+7Because they are dropping the ball severely and often.
    Will someone please claim the child, and wipe the butter of their fingers...
  • mclaincausey, on 12/24/2008, -0/+5If you have 2005 SP3, not worries.
  • inactive, on 12/24/2008, -1/+6It's Microsoft's SQL software that's flawed, and has nothing to do with the OS.
  • ALiberalMind, on 12/24/2008, -2/+7I think it has always been a piece of *****.
  • UKsHaDoW, on 12/24/2008, -0/+5You have to tune oracle, but once you do it can fly.

    You need a good dba.
  • inactive, on 12/24/2008, -1/+6MySQL may not have been that good a few years back, but since Sun took it over, it is a serious threat to MS-SQL

    Yahoo uses MySQL on their backend systems....very rarely an issue there as they have been up for quite some time now.
  • bingostud722, on 12/24/2008, -0/+4rda1441, The macbook air was cracked in under 2 minutes by hackers in a security contest

    http://news.cnet.com/8301-13579_3-9905095-37.html
    it was due to a vulnerability in safari. (not defending IE, it's still terrible, but we're talking about huge security holes, not standards compliance)
  • mrBitch, on 12/24/2008, -0/+4RE: "There are a lot of better ways to currently compromise windows systems."

    Exactly, this is not a statement that Windows server admins really want to hear.

    BTW, love that comment :

    " ... the lock is kind of weak, but don't worry about that too much because of the giant hole in the wall."
  • AlexanderBlue, on 12/24/2008, -0/+4@ajhops:
    MySQL has had ACID-compliant Transactional support via the InnoDB storage engine for years. It's also had some basic replication capabilities, and MySQL 5.1 (just released for General Availability) added row-based replication.

    For more information:
    InnoDB Basics - http://dev.mysql.com/doc/refman/5.1/en/innodb-over ...
    InnoDB Transaction Model - http://dev.mysql.com/doc/refman/5.1/en/innodb-tran ...
    Replication - http://dev.mysql.com/doc/refman/5.1/en/replication ...
    Snapshots - http://dev.mysql.com/doc/refman/5.1/en/replication ...

    FYI:
    - The Falcon storage, expected in MySQL 6.0x, will also do ACID-compliant transactions.
    - AFAIK, there is a "solidDB" engine that also supports transactions, but I'm not familiar with it.
    - IBM is apparently working on a DB2 storage engine for MySQL (http://www-03.ibm.com/press/us/en/pressrelease/214 ...
  • Fetching more discussions...
    Show 51 - 100 of 190 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.