December isn’t turning out to be a great month for Microsoft security — unless you’re a hacker.
Late Monday, Microsoft issued an advisory warning of a new zero-day vulnerability against its SQL Server database application. The warning is the second zero-day vulnerability
The vulnerability could allow for remote code execution on affected servers that could leave users at risk. The SQL vulnerability, however, is not easily exploitable in that it requires the attacker to already have access to the host system.
“To successfully exploit this vulnerability, an attacker must be a local, or remote, authenticated user on the system,” Bill Sisk, security response communications manager for Microsoft, said in a statement. “However, if an attacker has already compromised a Web server via SQL injection, they could exploit this vulnerability as an unauthenticated user.”
The new zero-day SQL flaw is also limited in its scope, as it doesn’t affect all currently supported versions of Microsoft’s SQL Server. According to Microsoft, the vulnerable versions are: Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). The more recent Microsoft SQL Server 2008 and Microsoft SQL Server 7.0 Service Pack 4 versions of SQL server are not at risk.
Microsoft noted in its advisory that it is aware that exploit code has been published on the Internet for the SQL vulnerability. However, the company added that it currently is not aware of active attacks that use the code.
The actual threat stems from an invalid parameter check inside of a Microsoft SQL extended stored procedure called “sp_replwritetovarbin”.
According to a blog post from Patrick Nolan, a handler at the Internet Storm Center, the SQL vulnerability was originally reported to Microsoft in April.
“Microsoft opened an investigation for this vulnerability in April upon the initial report by the security researcher,” a Microsoft spokesperson told InternetNews.com. “We immediately started an investigation and have been working on this issue since that time. ”
A patch for the SQL vulnerability is not yet public, though Microsoft noted in its advisory that it will take the unspecified, appropriate action to protect customers. That could mean a patch as part of the next monthly Patch Tuesday update in January, or it could be an out-of-cycle patch.
Microsoft issued an out-of-cycle patch last week for a zero-day flaw for its Internet Explorer Web browser. The zero-day IE flaw had been overlooked in Microsoft’s December Patch Tuesday effort, which also did not include any SQL Server updates.
Update adds comment from Microsoft spokesperson.