[thelist] News Item: Major Security Flaw in MS SQL Slows Internet

David Kaufman david at gigawatt.com
Sun Jan 26 00:50:01 CST 2003


Hugh Blair <hblair at hotfootmail.com> wrote...
>> On Behalf Of David Kaufman
>> not to start a flame war or anything... but I do hope that this
>> brings a bit of balance to the commercial vs. open source debate.
>
> No flame war here, but a little confusion.
>
> Why should any of what happened today "bring a bit of balance" to
> anything? Yes, there *was* an exploit possible, but more importantly,
> there's been a fix for it out for months. Those users that didn't keep
> their systems updated are the ones that helped propagate this problem.

true.  i wasn't implying that sysadmins of MS systems were any more or less
likely to ignore their responsibilities.  i was just pointing out that,
exactly like the CVS security flaw recently discussed here (which cavalierly
attributed to the inherent unreliability of the volunteer developers of open
source software), this was a similar buffer overflow exploit that allowed
the attacker to execute arbitrary code on the server within the security
context of the vulnerable software.  unlike CVS however, this failure to
review and repair this bit of code was not by a haphazard band of hippie
volunteer developers who you can't trust anyway, but by The Legions of
well-groomed and well-paid Software Engineers of Microsoft (insert choir of
angels singing here, as rays of sunlight pierce the clouds to pinpoint
Redmond Washington) *despite* their professional management by whole
departments full of professional managers, who themselves are no doubt
impeccably directed by dozens of qualified software development directors,
and double-checked by a Whole Lot of Really Good "quality assurance" folks
who assure the managers and directors that everything is of very high
quality.

CNN spared MS the embarassment of pointing out that this security flaw in
one of Microsoft's flagship products, finally noticed and patched last
summer (july of 2002) had previously existed in the SQL Server 2000 code for
2 and a half years, completely undetected and, according to the relevant MS
security bulletin http://www.microsoft.com/security/bulletin/MS02-039.asp
the same bug also has also existed and reamined undetected in MSDE 2000, the
"MS Data Engine" which shipped originally in October of 1998 (as part of
Access 2000, per MS press release)
http://www.microsoft.com/presspass/features/1998/10-21msde.asp and has now
been on the market as production code for over three years.

in addition to SQL Server 2000 (Developer, Standard, and Enterprise
Editions), the bug also affects just a couple of other MS tools, as well,
according to
http://isc.incidents.org/analysis.html?id=180 including:

  Visual Studio .NET (Architect, Developer, and Professional Editions),
  ASP.NET Web Matrix Tool,
  Office XP (various versions),
  MSDN (various subscription levels),
  Access 2002 of course, and
  Visual FoxPro 7.0 and 8.0

but yet amazingly, each of the well-paid teams of Microsoft developers
responsible for reviewing the code for all of these core MS products have
underwhelmed us once again by failing to review the un-sexier code bits to
unearth this internet-stopping buffer overflow vulnerability, for years,
allowing hackers to exploit it in yet another astonishingly newsworthy DDOS
attack brought to you by Microsoft bugs.

ah well.  no one's perfect.  not even a staff and a salary can replace
simply giving a shit, now can it?  i guess i'd just prefer my buffer
overflows to be pointed out to me by self-styled volunteer security pundits
causally perusing my open source code, in hopes of raising their own
prestige among their colleagues in the industry than by script kiddies
looking to make the evening news by exploiting it and earn cracker bragging
rights by single handedly bringing the internet.

-dave





More information about the thelist mailing list