Another worm is making the rounds. I really don't see much new in this particular variant but it should be noted that the frequency of these attacks is increasing.  read more ...

As part of the Black Tuesday release this month from Microsoft, we have a critical vulnerability in most all editions of SQL Server relating to the Convert function. Definitely get your patches in place for this one. read more ...

Good grief. You know SQL injection attacks are getting bad when Microsoft releases a KB article that doesn't even have to do with their code! I guess whatever helps spread the word is a good thing but with the time period that SQL injection has been around I'm not so sure that the problem is a lack of awareness. More than likely - the problem appears to be a lack of will - but maybe I am getting jaded. In any case - there are some freebies in the article include an ASP source code scanner for SQL injection as well as links to HP's Scrawl tool which is a stripped-down version of WebInspect that focuses on SQL Injection. Enjoy! read more ...

Well - SQL Server and most all other Windows services that implement impersonation - that is. Apparently, due to the way Windows Server 2003/XP and below use impersonation in Windows services, it is possible to escalate privileges from services that would otherwise be running with a lower level of privilege. The attack was demonstrated by Cesar Cerrudo and he used SQL Server as one of the example exploits (user must be a SQL System Admin). Microsoft appears to have addressed some of the issues with Vista and Server 2008 but not entirely according to Cerrudo. It's worth keeping an eye on this one. read more ...

Looks like another mass SQL Injection attack is making the rounds. The attackers likely used Google or another service to select potentially vulnerable sites and then launched the attack from there. Yet another example of the importance of checking your code regularly for these types of vulnerabilities. read more ...

Applications that allow users to run code in an authenticated context (IIS, SQL Server) could be at risk from privilege escalation attacks. The threat to SQL Server is describes as follows: "SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.". OK - so this is no SQLSlammer since non-default configurations are requried but it is still worthy of mention. read more ...

Kevin Beaver has highlighted some SQL Server 2008 features that may interest readers.  Feel free to download the CTP and take it for a "spin" yourselves.  I am impressed by the database encryption options but I hope this won't lull developers into thinking they don't have to secure individual data fields.  Database encryption addresses a different threat than does field-level encryption.  For example, someone stealing your MDF poses a different threat than someone exploiting a SQL injection vulnerability on your site.  Kapeesh?
 read more ...

Microsoft has released the CTP for SQL Server 2008. On the security side, Microsoft is touting the ability to encrypt entire databases, database files, backups, and logs. Most of this has been available from 3rd parties for some time. I guess I should see how many of those were purchased by Microsoft? (grin) Also they are claiming improved auditing. The spec sheet talk about the Surface Area Configuration Tool but that has been around for some time now - this sounds like a marketing re-hash. read more ...

I wanted to personally apologize for the delay in Discussion Forum moderations. Usually I stay on top of this but have slacked off a bit as of late due to some external pressures and left some un-moderated messages out there for a week or so. I am working to keep the spambots at bay with CAPTCHA instead of moderation so should have something to alleviate this issue soon. Thanks for your patience and keep the questions coming! 

Apparently a new worm has appeared on the Internet that uses SQL injection to infect sites with malicious code and spread itself. The worm uses a SQL injection attack on Microsoft SQL Server and Sybase databases (as evidenced by the worm's attacks on the sysobjects table). I seem to recall Caleb Sima of SPI Dynamics warning about this a few years ago. Take it seriously folks - SQL Injection is everywhere. Notice how the author of the article closes with "Microsoft was not immediately available for comment on the SQL Server vulnerability used by the mass hack." He fails to realize - the problem is NOT with SQL Server. The problem is with the web application (or with the MDAC in some of the payload exploit code).  read more ...

While the overall effectiveness of penetration testing as a security mechanism is debatable, it sure is fun. Apparently Court TV (soon to be called "Tru TV") has figured this out as well and has a new series where security professionals (clad in DEFCON t-shirts galore) break into car dealerships, jewelery stores, and other high-value targets as pen-testing consultants. I haven't seen them using any database or application attacks yet but it will probably happen eventually as they routinely gain remote access to internal networks.  read more ...

I have added a page to the site to host security tools I have created for security engagements and/or other projects. Of course, I fully intend to release free tools on a regular basis relating to SQL Server security (as noted by the recent release of the command-line version of SQLPing3). Many of these tools are very useful as well and can be purchased at a reasonable cost. The first tool is DHCP Sentry - a tool to help you locate rogue unauthorized DHCP servers on your network. read more ...

I have finally posted an alpha release of the command-line version of SQLPing3. Please provide any feedback at the download area for any errors or comments you have concerning this version. Keep in mind that this alpha release only contains the high-level switches. The ability to disable or alter the scan options will come later once the application is stabilized. For now the command-line switches are as follows:

SQLPing3cl - SQLPing3 Command Line version - alpha release

Syntax: sqlping3cl.exe -scantype [range,list,stealth] -StartIP [IP] -EndIP [IP]
-IPList [FileName] -UserList [FileName] -PassList [FileName] -Output [FileName] read more ...