Microsoft warns of SQL Server zero-day

Probably of no interest to anybody here, but who knows. Just in case

"Microsoft issued an advisory late Monday warning of publicly available code that could be used to target an unpatched vulnerability in SQL Server.

In its advisory, the software giant warned of an authenticated remote code execution vulnerability in the MS SQL extended stored procedure. The issue causes an invalid parameter check opening a hole for an attack.
"All systems running one of the affected Microsoft SQL Server software where a malicious user is allowed to log on are at risk of exploitation of this vulnerability," Microsoft said. "In addition, Web applications with a SQL Server back-end database are at risk if a SQL injection vulnerability exists."

An attacker can exploit the flaw remotely as an authenticated user on the system, said Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC). However, attackers could exploit the vulnerability as an unauthenticated user if they compromise a Web server via SQL injection, Sisk said.
The critical vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 and WMSDE) and Windows Internal Database (WYukon).
"We are aware that exploit code has been published on the Internet, however, we are not aware of any attacks attempting to use the reported vulnerability," Sisk said on the MSRC blog.
As a workaround, Microsoft is advising customers to deny access to the sp_replwritetovarbin stored procedure. Microsoft said the affected stored procedure will have no impact for the majority of its custo

Bernhard Mueller, a security consultant with SEC Consult, discovered the flaw earlier this month. He issued a T-SQL script to test for the vulnerability. In his advisory, Mueller said he received an email from Microsoft in September explaining that a fix for the vulnerability had been completed. So far, Microsoft has not ruled out an out-of-cycle patch release.
"By calling the extended stored procedure sp_replwritetovarbin, and supplying several uninitialized variables as parameters, it is possible to trigger a memory write to a controlled location," Mueller said in his advisory. "

Microsoft warns of SQL Server zero-day

I just realised, many software packages now silently install SQL Server Express as their database, so many home computers have this vulnerability without even knowing it. People see windows update and/or news articles and assume it doesn't apply to them. But in the Windows world there is a lot of SQL Servers installed out there.

So check what your programs may be using. SQL Server is used in many Accounting programs

Norm