Redmond (WA) – Today, Microsoft acknowledged that its business class SQL Server database software is vulnerable to the kinds of attacks which inject code into malformed requests. Affected versions include SQL Server 2000, 2005, as well as Windows Internal Database. Not affected are SQL Server 7.0 SP4, 2005 SP3 and 2008, which are immune to the flaw.
This is the same bug that was reported publicly on December 4, 2008, by SEC Consulting. SEC had attempted to work with Microsoft for months regarding the bug, and Microsoft would not acknowledge that a flaw existed. Finally, SEC published the information to the public earlier this month well before the normal “Patch Tuesday” cycle of December 9. Still, Microsoft did not repair the patch, nor did they acknowledge its existence.
Today, finally, following another 0-day bug Microsoft has been forced to acknowledge the SQL Server bug’s existence. They now plan a fix for January or February.
SQL Server is a business database engine. SQL stands for Structured or Standard Query Language,” whereby common worded requests (not computer code) are submitted to the server for data retrieval.
An example of this type of command (would select all of the active users into a file, with their names, addresses and phone numbers):
SELECT name, address, phone
WHERE active = TRUE
Hackers can use malformed SQL Server requests to exploit the flaw and inject malicious content into a database, possibly defacing a website or corrupting business transactions – affecting operations and potentially user accounts or information.
SEC Consulting reports having seen instances of this bug in the wild.