Microsoft is investigating new public reports of a vulnerability that could allow remote-code execution on systems with supported editions of its Microsoft SQL Server products.

Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine, and Windows Internal Database are affected. Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by that issue.

“Microsoft is aware that exploit cipher has been published on the Web for the vulnerability addressed by that advisory,” Microsoft said in its defense advisory. “Currently, Microsoft is not aware of active attacks that use that exploit cipher or of customer impact at that instance.”

Alerting All Database Admins

According to Wolfgang Kandek, CTO of Qualys, the vulnerability in Microsoft’s SQL Server product is highly critical. Database administrators, he said, should

immediately review and implement the workarounds Microsoft offered as soon as possible.

“MS SQL Server is a highly popular product as we have seen in April of that year, when [an] SQL-Injection vulnerability that specifically targeted MS SQL Server-driven Web sites was used to redirect users to Web sites serving malware,” Kandek said. “The effects of that attack are still out on the World Wide Web, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit-free state.”

Kandek said the potential exists for private info leakage, as well as major disruptions in critical Microsoft SQL-driven applications, such as e-commerce and HR. On the positive side, Qualys believes companies have aggressively firewalled off their Microsoft SQL Server from being accessible directly on the World Wide Web after the traumatic Slammer worm in 2003. That, Kandek said, should supply some protection from direct attacks….

Original post by dhiram