You may often notice that in the SQL Server recommendations on this site, there are references to disabling certain extended stored procedures. Here's why: Microsoft has released a patch for a buffer overflow in an extended stored procedure that exists on both SQL Server 2000 and 2005. The extended stored procedure in question is master.dbo.sp_replwritetovarbin and is available to any authenticated user. A patch is recommended immediately since exploit code is in the wild. In addition to the MS link (below) - you can read more here: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt read more ...

SANS has an interesting analysis of a new SQL Injection attack that uses cookies for initial exploitation. We has a poster on the discussion forum who saw something similar a few days ago. This attack appears to be a hybrid - using SQL injection to put links into database table data that connect users to a site that uses the MSIE 0-day exploit (XML parser issue - http://isc.sans.org/diary.html?storyid=5458). read more ...

Due to the recent outbreak of SQL Injection bots making the rounds, ISC made a recommendation of several web application firewalls (see link below). They do a good job of prefacing this with warnings about this being a stop-gap measure only - and I commend them for that. Unfortunately, I feel that these are a mixed bag technology. While it is true that these tools can be useful in the short term, I fear that laziness being what it is (preferred) - people will implement them in lieu of actually fixing the application(s). If you do implement these tools, please do so only when combined with fixed deadlines for actually addressing the real problems of your application. read more ...

Here's another example of SQL Injection on a very popular website. Again - I believe that the SQL Injection based worms that are now appearing are going to have the positive side effect of forcing these sites to get their code fixed. What is frightening to think of is: How long has this vulnerability been manifest in the application and how much sensitive information (customer subscription data) might already be lost? Again - the smart attackers don't advertise their presence.  read more ...

Another worm is making the rounds. I really don't see much new in this particular variant but it should be noted that the frequency of these attacks is increasing.  read more ...

As part of the Black Tuesday release this month from Microsoft, we have a critical vulnerability in most all editions of SQL Server relating to the Convert function. Definitely get your patches in place for this one. read more ...

Good grief. You know SQL injection attacks are getting bad when Microsoft releases a KB article that doesn't even have to do with their code! I guess whatever helps spread the word is a good thing but with the time period that SQL injection has been around I'm not so sure that the problem is a lack of awareness. More than likely - the problem appears to be a lack of will - but maybe I am getting jaded. In any case - there are some freebies in the article include an ASP source code scanner for SQL injection as well as links to HP's Scrawl tool which is a stripped-down version of WebInspect that focuses on SQL Injection. Enjoy! read more ...

Well - SQL Server and most all other Windows services that implement impersonation - that is. Apparently, due to the way Windows Server 2003/XP and below use impersonation in Windows services, it is possible to escalate privileges from services that would otherwise be running with a lower level of privilege. The attack was demonstrated by Cesar Cerrudo and he used SQL Server as one of the example exploits (user must be a SQL System Admin). Microsoft appears to have addressed some of the issues with Vista and Server 2008 but not entirely according to Cerrudo. It's worth keeping an eye on this one. read more ...

Looks like another mass SQL Injection attack is making the rounds. The attackers likely used Google or another service to select potentially vulnerable sites and then launched the attack from there. Yet another example of the importance of checking your code regularly for these types of vulnerabilities. read more ...

Applications that allow users to run code in an authenticated context (IIS, SQL Server) could be at risk from privilege escalation attacks. The threat to SQL Server is describes as follows: "SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.". OK - so this is no SQLSlammer since non-default configurations are requried but it is still worthy of mention. read more ...

Kevin Beaver has highlighted some SQL Server 2008 features that may interest readers.  Feel free to download the CTP and take it for a "spin" yourselves.  I am impressed by the database encryption options but I hope this won't lull developers into thinking they don't have to secure individual data fields.  Database encryption addresses a different threat than does field-level encryption.  For example, someone stealing your MDF poses a different threat than someone exploiting a SQL injection vulnerability on your site.  Kapeesh?
 read more ...

Microsoft has released the CTP for SQL Server 2008. On the security side, Microsoft is touting the ability to encrypt entire databases, database files, backups, and logs. Most of this has been available from 3rd parties for some time. I guess I should see how many of those were purchased by Microsoft? (grin) Also they are claiming improved auditing. The spec sheet talk about the Surface Area Configuration Tool but that has been around for some time now - this sounds like a marketing re-hash. read more ...

I wanted to personally apologize for the delay in Discussion Forum moderations. Usually I stay on top of this but have slacked off a bit as of late due to some external pressures and left some un-moderated messages out there for a week or so. I am working to keep the spambots at bay with CAPTCHA instead of moderation so should have something to alleviate this issue soon. Thanks for your patience and keep the questions coming! 

Apparently a new worm has appeared on the Internet that uses SQL injection to infect sites with malicious code and spread itself. The worm uses a SQL injection attack on Microsoft SQL Server and Sybase databases (as evidenced by the worm's attacks on the sysobjects table). I seem to recall Caleb Sima of SPI Dynamics warning about this a few years ago. Take it seriously folks - SQL Injection is everywhere. Notice how the author of the article closes with "Microsoft was not immediately available for comment on the SQL Server vulnerability used by the mass hack." He fails to realize - the problem is NOT with SQL Server. The problem is with the web application (or with the MDAC in some of the payload exploit code).  read more ...