SQL Server security vulnerability (a new one!)
I almost posted this last night, but those of you in the security business would have (SHOULD HAVE) been aware of it by then, and some of the rest of you don’t care anyway! (…until your bank balance disappears or you cannot use the ATM, for example. 
)
Microsoft issued an advisory late Monday, December 22, 2008, which confirmed that a vulnerability that allows remote code execution affects SOME of its SQL Server products. Of course, CNET was right on top of it.
From the advisory:
“Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.”
Also from the advisory:
“Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.
In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary.”
For more information, those of you who use SQL Server can refer to Microsoft’s site. Good luck!
-Bill at Cheshire Cat Photo™
You can view higher-resolution photos (*generally* 7-30 megabytes, compressed) at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. Apparel and other gifts decorated with some of our most popular photos can be ordered from the Cheshire Cat Photo™ Store on CafePress®. Both Shutterfly™ and CafePress® ship to most international locations worldwide! If you don’t see what you want or would like to receive an email when new photos are up on the site, send us an email at info@cheshirecatphoto.com.
