SQL Server Springs Another Leak
Security researchers in July warned Microsoft of flaw in SQL Server agent; no patch is available yet.Security researchers have found a new flaw in Microsoft Corp.s SQL Server database software. The problem lies in the SQL Server agent, which is responsible for various functions, including running scheduled jobs and restarting the database service if it stops. By default, low privileged users can add jobs to the SQL queue and specify the name of a file to output the results of the job to. If specifying a file name that already exists, a user can overwrite that file. If it is a new file name, the database will simply create a new file.
By carefully crafting the database query for a given job, a user can place any contents in this file, according to a bulletin released Monday by Next Generation Security Software Ltd.