Qualys Blog

www.qualys.com

Patch Tuesday: December 08

This vulnerability in Microsoft SQL Server product is highly critical as it allows the attacker to remotely control the database and the underlying server. DBAs should immediately review the work-arounds provided in the advisory and implement them as soon as possible. MS SQL-Server is a highly popular product as we have seen in April of this year, when a SQL-Injection vulnerability that specifically targeted MS-SQL server driven websites was used to redirect users to websites serving malware. The effects of this attack are still out on the internet, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit free state.

The potential exists for leakage of private data and major disruptions in critical MS SQL driven applications, such as e-commerce and HR. On the positive side we believe that companies have aggressively firewalled off their MS SQL server from being accessible directly on the internet after the traumatic Slammer worm in 2003 which should provide some protection from direct attacks. However a smart attacker can easily pair this exploit with another attack mechanism such as phishing to get behind the corporate firewalls and then attack all accessible MS SQL server installations.

We expect that Microsoft is currently working on patch and will release it out of band. Differently from the recent release of the Internet Explorer patch the deployment will be slow. MS SQL is part of the core server infrastructure of many enterprise companies and is subject to lengthy patch and testing cycles and before any such fix can be deployed.

Leave a Reply