[thelist] News Item: Major Security Flaw in MS SQL Slows Internet

Ken Schaefer ken at adOpenStatic.com
Mon Jan 27 22:31:01 CST 2003


A couple of quick corrections...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: the same bug also has also existed and reamined undetected in MSDE 2000,
the
: "MS Data Engine" which shipped originally in October of 1998 (as part of
: Access 2000, per MS press release)
: http://www.microsoft.com/presspass/features/1998/10-21msde.asp and has now
: been on the market as production code for over three years.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

a) MSDE is SQL Server.
b) the MSDE that shipped with Access2000 is the SQL Server 7 core engine,
and is not vulnerable

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: in addition to SQL Server 2000 the bug also affects just a couple of
: other MS tools, as well, including:
:
:   Visual Studio .NET (Architect, Developer, and Professional Editions),
:   ASP.NET Web Matrix Tool,
:   Office XP (various versions),
:   MSDN (various subscription levels),
:   Access 2002 of course, and
:   Visual FoxPro 7.0 and 8.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MSDN isn't a product.
OfficeXP would only be vulnerable if you installed Access2002.
ASP.Net Web Matrix doesn't use MSDE or SQL Server and isn't vulnerable (you
have the option of downloading MSDE if you need/want a database engine to
work with).
Ditto VS.Net

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: but yet amazingly, each of the well-paid teams of Microsoft developers
: responsible for reviewing the code for all of these core MS products have
: underwhelmed us once again by failing to review the un-sexier code bits to
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Well, there's only 1 bit of code, so there'd only be one team reviewing it
(the SQL Server team). So don't be so "amazed". And don't be amazed that
there are bugs. Every major product has bugs. When this bug was reported, a
fix was issued - that was 6 months ago. If one had installed /any/ of the
cumulative patches since then, one would have been right. Anyone hit by this
(and who knowingly had SQL Server installed on their machine) is *way*
behind in their patches...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:  i guess i'd just prefer my buffer
: overflows to be pointed out to me by self-styled volunteer security
pundits
: causally perusing my open source code, in hopes of raising their own
: prestige among their colleagues in the industry than by script kiddies
: looking to make the evening news by exploiting it and earn cracker
bragging
: rights by single handedly bringing the internet.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

...well, the patch has been there for quite some time. There aren't "script
kiddies" discovering this stuff. It's already been discovered, and
discovered a long time ago. AND A FIX EXISTS. Even if one had waited for SQL
Server Service Pack 3 and installed that, one would have been right...

Cheers
Ken


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "David Kaufman" <david at gigawatt.com>
Subject: Re: [thelist] News Item: Major Security Flaw in MS SQL Slows
Internet


: Hugh Blair <hblair at hotfootmail.com> wrote...
: >> On Behalf Of David Kaufman
: >> not to start a flame war or anything... but I do hope that this
: >> brings a bit of balance to the commercial vs. open source debate.
: >
: > No flame war here, but a little confusion.
: >
: > Why should any of what happened today "bring a bit of balance" to
: > anything? Yes, there *was* an exploit possible, but more importantly,
: > there's been a fix for it out for months. Those users that didn't keep
: > their systems updated are the ones that helped propagate this problem.
:
: true.  i wasn't implying that sysadmins of MS systems were any more or
less
: likely to ignore their responsibilities.  i was just pointing out that,
: exactly like the CVS security flaw recently discussed here (which
cavalierly
: attributed to the inherent unreliability of the volunteer developers of
open
: source software), this was a similar buffer overflow exploit that allowed
: the attacker to execute arbitrary code on the server within the security
: context of the vulnerable software.  unlike CVS however, this failure to
: review and repair this bit of code was not by a haphazard band of hippie
: volunteer developers who you can't trust anyway, but by The Legions of
: well-groomed and well-paid Software Engineers of Microsoft (insert choir
of
: angels singing here, as rays of sunlight pierce the clouds to pinpoint
: Redmond Washington) *despite* their professional management by whole
: departments full of professional managers, who themselves are no doubt
: impeccably directed by dozens of qualified software development directors,
: and double-checked by a Whole Lot of Really Good "quality assurance" folks
: who assure the managers and directors that everything is of very high
: quality.
:
: CNN spared MS the embarassment of pointing out that this security flaw in
: one of Microsoft's flagship products, finally noticed and patched last
: summer (july of 2002) had previously existed in the SQL Server 2000 code
for
: 2 and a half years, completely undetected and, according to the relevant
MS
: security bulletin http://www.microsoft.com/security/bulletin/MS02-039.asp
: the same bug also has also existed and reamined undetected in MSDE 2000,
the
: "MS Data Engine" which shipped originally in October of 1998 (as part of
: Access 2000, per MS press release)
: http://www.microsoft.com/presspass/features/1998/10-21msde.asp and has now
: been on the market as production code for over three years.
:
: in addition to SQL Server 2000 (Developer, Standard, and Enterprise
: Editions), the bug also affects just a couple of other MS tools, as well,
: according to
: http://isc.incidents.org/analysis.html?id=180 including:
:
:   Visual Studio .NET (Architect, Developer, and Professional Editions),
:   ASP.NET Web Matrix Tool,
:   Office XP (various versions),
:   MSDN (various subscription levels),
:   Access 2002 of course, and
:   Visual FoxPro 7.0 and 8.0
:
: but yet amazingly, each of the well-paid teams of Microsoft developers
: responsible for reviewing the code for all of these core MS products have
: underwhelmed us once again by failing to review the un-sexier code bits to
: unearth this internet-stopping buffer overflow vulnerability, for years,
: allowing hackers to exploit it in yet another astonishingly newsworthy
DDOS
: attack brought to you by Microsoft bugs.
:
: ah well.  no one's perfect.  not even a staff and a salary can replace
: simply giving a shit, now can it?  i guess i'd just prefer my buffer
: overflows to be pointed out to me by self-styled volunteer security
pundits
: causally perusing my open source code, in hopes of raising their own
: prestige among their colleagues in the industry than by script kiddies
: looking to make the evening news by exploiting it and earn cracker
bragging
: rights by single handedly bringing the internet.
:
: -dave




More information about the thelist mailing list