|
|
|
Microsoft Downplays SQL Server Database Vulnerability
By: Brian Prince
2009-09-02
Article Rating: / 8
There are 8 user comments on this Network Security & Hardware story.
Microsoft is disputing the severity of a vulnerability found in its SQL Server database that security researchers say exposes administrative passwords. The vulnerability, uncovered by Sentrigo, can be exploited remotely in SQL Server 2000 and 2005.
Microsoft is downplaying a SQL Server security flaw that could be
exploited by someone with administrative privileges to see users'
unencrypted passwords.
The vulnerability was discovered last year by database security
vendor Sentrigo when one of their researchers noticed that the
unique string of their personal password was visible in memory in SQL
Server. Since then, it has touched off a bit of back-and-forth between the vendor and Microsoft, which contends the vulnerability is a non-issue because it requires administrative access.
While officials at Sentrigo concede that administrative access is
necessary for an exploit to work, they also contend that many
applications are deployed with administrative privileges meaning that
hackers could potentially use a SQL injection vulnerability to access administrative passwords.
"Passwords used to login to SQL Server are stored in memory in clear
text," explained Sentrigo CTO Slavik Markovich. "These are not erased
until SQL Server is restarted, so (they) may in many cases include
passwords going back for weeks or months in production environments. It
is a simple matter of dumping memory in byte format, and reviewing the
contents looking for usernames, which will be followed by the password."
Compromising those passwords can have broad implications since many people use the same set of passwords for multiple systems, he added.
In the case of SQL Server 2000 and 2005, attackers can exploit the situation remotely. There is some mitigation for users of SQL Server 2008 however, because Microsoft removed the DBCC utility. Local connections however can still exploit the issue.
Despite this, Microsoft contends the vulnerability is much ado about nothing.
Microsoft
has thoroughly investigated claims of vulnerabilities in SQL Server and
found that these are not product vulnerabilities requiring Microsoft to
issue a security update, a spokesman said. As mentioned by the
security researchers, in the scenario in question, an attacker would
need administrative rights on the target system.
An
attacker who has administrative rights already has complete control of
the system and can install programs; view, change, or delete data; or
create new accounts with full user rights, the spokesman added.
While
administrators can normally reset a users password if needed, best
practices in security do not allow even administrators to see the
actual passwords of other users, Sentrigo officials said. This is
an even greater problem as many enterprises need to comply with various
standards and regulations that require strict segregation of duties,
something that is clearly violated by sharing all users passwords with
the administrators, Sentrigo contends.
In response to the situation, the security vendor has released a free utility to erase these passwords. The utility can be downloaded starting today from the companys Web site.
 |
|
|
�������x}vH9�Nj0��`mx�U=�!%�IEK?s%�7"3�H�U\lP"3"#"#####�I"�G3L{B(ٟ9УKM�I};_�AiZN)�##5[�rD5� a�5˜صNm:��p��Xwd�>J�`OS{Su�)5'Sߙ \/3mB=�F��\�3�Ѣe��g"l_P)t�yO<iZN\1)?%ߙ����Q矉XqB���ǎK;�߃*#x8܉i/DaO�䰐x5�E�xL#|x\'{OɀY�F�
z.Q^�71�Y~�4�
b'*cO^3h��aŠ��~-c��w\�v5#wJ3q'9"�ScO$ѡ�U�N&IF 0�9�Q#@PWw,Dž)+Ta3cmfZ�55x-y5@ܱ=ǥ�>B�c�3E5�O_FBS f5[a�WJ1̋G)g�?L�G$9N؎MWEn�O�MKm_j|�4n:�8&�z3z�x��9a#�6�м)g_2o:v�t\a_eY3�ML.oS_֭�U)jpR�
G'{C
L{ĩ̙ugNn)�U-�u��u7�Y}��ж�G^Ԣz�Cm�}lu:Qt�{A~�$Vj��}�&D%\.�Ofq&0h>է6ttB�,>"yd�[^ ����Ղz��.�=-bGaF`%�pfQ�2iu:hՠus}Ƞuvyzn#|c9̠T*
PFfP�K`W:�1㽩So=o>_sܶ>9ݐfcGV,\Bg#j�`BmIuu¿�L`KėvO^3S�&�ںa#U#IɽGf;�|n�o]8HN,7�M!��\L�%˭�Ņw܉�]*���R%�=^fD/\��RRG��3�Al8{ÈWTһ*-�j�\�Aw7ʺ9Q٤�+k\M]�臘��p=��7&_=m�LqJ�j�`�X.B2iKB0:8W5MGR>LGa�^,�)߂WL �F�̶-a[9S��k�k?�z`�贆�;mFݟ�Ϩa.ff۱9z��4$�AC62^lK5}j���>= ä��p;p:OtmQ({�r`A}6g`sokii#���q)�x?ɜ�)
W�)@.X�mI|t�"AђF��(�4� �gsSX"C"'K`[X�ɏ;�.VJq+TbD0�JnO�u$u3TJϥCstGe�-n^
�d6g�2+ILIG]7-&D7rB�e�.G �7Kᙖ6@FZ<<,Q
Nhܛ�M݄%�1tAϼ�2H�`0�HC"�;NM:� x:��-|o@Cyw{J`0aEiŬ`)9���i\X#,TifB7g
�ƩOI|��B3\
H8M�lz:I<`*�,q;rk�dž�fXi8N{�=7q
�T�fҬ|r�Y2��T۪v39n !+p�WY� ��2cdRUy�pt̝�m�N7 \��P{`CLE�7�*�Cɥ0$�lu6��6t>D=tl=50_{ܰ탡�rQ�GjxS#S�aIZR�j%�5�k-,!0(2�@7$X�Q��[�咖bt�u9s �ڇc]ҟڃu@n&cO~R9���?�']dpSNjФ0V�}2Pa�BUJl�31{-F�*^=�W(���+�圑�б٫Agme?o/�{UC�t_87��y+��@o��Lu�D�m�Ǧ��#Z`"q6,
EEh~�5<2.eX"�{��;qI�hO¹9f1|��*J�0"B(cǝyyrayް~Qm&w"
Dw<�M��Jm�[̜��֥N�ǙXT+[pnbP1C)Xk;����\}*O#X�u�~H>Lb�Rh��
F��B�Oj���-[�P*:��#;8f�t�_܁��,C>�.Pō{c�?4�]u�Yf"F�t!Vb�}�jYQJCR�g���2�:ƛS��:1pyL��vH�e�.̑<]I0��#'JǦ8H�z0�o`!ZP�Ŗῦ
wO���g�: �C\4�<�`S�(z`0$64w�
]QӲs��Ԑ@<��0+%!N��ksN�$�?G{ݮc65>�k}�SS
jQa߯EY�P^مH��B���dD}t=k�;J8KMf1��~��{A1%l
7͐*8e$Lbc���RMV-u+
"b>�7^GozL�>YȓsԵ`se#�k jMsE9Ly{k��^
Ֆ�W9.^٨��ڝ<�~�꿯���c2�R*?�] ;+2gPכK��3fuq�WJUfS?x�Ji�=MSX�/r��D m~琩oc�c��uNfqH���I]3�am?Qna�0�e�P
o|Fn
-v�f#Xi�̋/��l䌇%b�
"9&K8.h#2"��}XM_�'fP� X%7j�A&�節e�tᣤj6�bE)�bj>*�5*9MLt��� J �l�v�~H͕�5`HOB�B�59(��a
���2���OvFn�ESA�|)�u Jl�[!i\�� ma-a2,{`�\]-HǏ5 �Z�L�4CdE�)�ijURբTE'�LؾEmA( Gqd:)iQ}}0DOwO�
&yX|uC��aE拑T>TC*mT)NߓJ�tM��q]C0aY)��ݥ,�P.��:Kl�d:[(�
�`C/)�(+RJ "4FI'z\G�>gY�APANQ�):�Qrۿh/E$}1�y*}y:}4~hOWk0Nw2ࠇg
�Rf#u��0?x�S)9���OH��Ca�]Z�ilu�z{LaP;DZ3pu*�Ihwܻ8�^]^6D20�Y,7[
VlG0_Ӹ\b��`"�,GDt�CTո�
f껐UO~,��KtH1��|<ÃFK'"H-rL.Q0}~R9:Hl�7M�Ҷh>HАݛ�wܼ6䌜71~7~[ojO�0�6oR<��i?{ʶ*CWq�j[:�`*Q8�Dh�H^md["+2�NI˅^x9:���Z���,F��Jf�8���6hјAxal}W�C]jpb_s T�!?7?jWgpKw�
�z+>+-R!UkE��7_cUK+��7yeU�j
ȓG��Do!i�>R{�_�14�+ߙL,*z3\mv[fvÏ9&i
�!NZ�;wl�or�70G G�f79; 9���Aqq�pvn
֔I���iCDHߛӾrEs ��_5D��a'�ZYOC,'�?&�c+YT^�1;l�V���3S�O�pM�n
W&/6o)�.w�i{\n�a�A ^ލ\�"�t�(ı��KCƣ3ӆUec\ɭ4Nߊ��ra�jp$%f8rH{��{J;8��$}]��*K�f]vGlC
Iҥc��w�!]2�q�e�hE:�>xޯREp|b &�H�L",UiԔbA3ou|;<Ţ�}
i%=���7,N�MjY#��ԔS�Wv
rE�SN@(9�yE�[vTn(,�aɛ�sDR�}F���V<�gV&r<�uzX/&�cqN�HcB��<1k+r�cⸯp�oL.i� �dZ�',J�t
dTdz26iଷ�YM4�T�W gik�JRuL$ɉc1ӞaS�0Ojj�[s"v
F�/[�OKU㶑� ^t@^ʡ,�;�_6�RѡD`�R�LE6%
"g=c*/�� [
>#'k�u ۓ(^1g�1���C%�SȠ>o�caey�6\/bDcG'1bc�/9>Sԟ0WR]CJU ȓ7�ᷜ�q
ˬ�)�T1az2]�'h�3Qf��5$+LZa)H";2�Hgl�RP>*�(Ə�;&�> �> &`0; OB+P!'!Rj!S^��:=6罿Sd~
K")Cr����7'c�Ig��-Rߑ>.,���#i�"�:YRa�wFP%t#M�-}N�_�C�Q�zNί|I^+8B��Oј:Ⱦ'3Q=�bx �ːF�FC&P6c��'r �Jx��{�eG^��(B�?͝�*�*R-���K�m�SӾC7F�/\*]CԺ�tX�[q:� �I�H�$�`g# w~ *pk�+
d31u8w��11os � ֦'�_r
gy��+f^�8_��0�W~s`s`s`s`��R*+w`G*ɝxI')LT�,\�A��q-CRʡj�P���*˝�Bd:= �9eկ3+4�<.'%?_J}( Ft�>܍wp�Hċ�_$"[q�/�6 H=]:[jK�0��
B` ˓P�u{^>LKSF=���R���S�W�/J,O!G /mH/��Qn+]Pߓ4x�˹ӎ ˟�Fw0)g�|G^ ?bJKǪ^=ۉ��0��v�3�[j-)L ����cs|aNޔa�D'� xL&v�O�x"iL5(��ňU)H[rf͎ȃS%X9�3�+Ði%uwtwC_%,�[Urc��M�Ӹ!|bXR�mZxޓ.HƓx0�ce:i8�����⊕ju¹�S(§Hˇw$'gFu�ނӧ3/-cYߪڟ�k\�em"S<\�`|@`#���H�!2����q��5,pJ�ZM<铳S�ʇ�-C>Jp���jAT!W3O>@|{l[W�|]m{jxύɥV6�"�P"j}W!gKfwD52�zF{(1zj,o5Οd2�J�.t֮
Rs>��A �H�1A0!gm �4NDvvB[n3\zsY��0b� ^!�xՌθ�hfVO/N�n3IM gmڳr�bXy
�� 6-�y^Šx!Vy
H�'&t]jh�XҸJd�mH[X)ωZ,rz2�C�*jP��y�w}u �XL»ⲈVuv0~�RI=,V [k-IpM�#7a�w{@�2Jta\飏ji'�� m�(9]b+p�J�a>�(9[�}1�W5n&q٠6j�Sx:0Fը�XCFз��ݥDDm+i�!Hxf�;HNO0��D
B
R�ݛ��(ZbF��:6z�?�jsQ�s��ʒƈ�lfmmIQ*1ֶ�B�ە]�aIJ"%Φ0�%l6��a��T75|G*ń_M�^�f�VܞTk��
A�!1K=�o~{@\p
!q,��Ye-+�փފ> mrF@YbďG���,Q|�6@|0\'��~h;u�M�=<��aDt�Md�:�}GL��ڒ #h,�]@�sH ]XW\AfxO:'�n(Os.}lкbɧtC[�"嘥�
EA��H3B~Z?\�G"CR2O0�枩TH�WdL4�&(qTi�$<79w=LyՌ %��
�5"��|qM*nQmDR,��)��0�0mZ�1;m�9
d�ϊY_j <^r@>LQXj��*�!b3wإ4ϓ �}y>f�_$R��}E���T��&}�fA=bAa~�!~&�R&js#E��-,<
<��lx �Lla`t��.Pu>�'~a2?kt60-F3Ǵ�f;sj��:r�tT�
�b8M4;_x,ȏNmݜ�(�8���$Ѕ:�x,@#!��9ω��ꩡOMݓ>0C(��-Ō��C�UR(�O�ZB�BveX
z( �z�o+�Ͳg2Rq"ÕJR!
`x�ZNRsdhhz?{v@<
LB،\�S;�嘫7;y4ME�Ng7AwEN[-�¶6-�r5�ezןW W?7L=F;�'�mvME`E<2 Wn)�C9>[Ԟpm.4�"ddrx$xG_0�4�We䚽|��A�J*Q^e3DU@�+}q7��&6���(=fԊjm9�Gj|q3�_sv8H/o�
3(?K/?�g��P!_\(3UF9OP)�;�aw3Ƨ�w3�n�|o7]O7>]iV3ʁ?�2zG(Q~ �ewQ�{1W ?W�s�w1~=/=?��/��q
_g�s?}�g?��d�(%�ׇ�����}�}̠-f�f--m�:Iʘ!gk\8=!9(/�R*z�U�K#(g�g��~-2:b�@~~ k+ť$W�
7YKxUy%kkV�[I�2nPkȣ�_yi� V�{HyL�Jab^>c�4pk 7"[y�DY�s$��&}:=W6vl+Jx._[nNJ>s\ȜHǣ�W0'Y iM�%�|,y�M`p2�1'KYʘ�wV/3yK_x>{3+L�w� @9_Ew�MAw�.[CS�/:)7=Mut�nm;yp#^X��o�7-P/#"Is�geǃf.ţu>T�6V:�6�a3[� ÈC/�s
H�i{t�?f:p�|bO}�vH�^7.Z졽Պ쓥->g~3gXV�)pF ;F^a�51z�I?)�hع�j�xcWCtz+=s�~o8��5c[&�Hn�ICU=T*[)WJr=��æ�DD���\�QTY)ȅ*��Y���G
D`Q9#�T�x|D��emګ.�91C=b��hì[^c(wp
E���Х��*˘V͛YɌ�L�E57/��;MoH�����
��1�+1@e^"q0*z1b%a<�/)q��NX6>&m\ʠaC�aoXbkl[��3|vP�3$�X&3(W�!�=7c�U�ޣQ�'M�<:np
r�� L�zZ"#&23VMե{2�\x| "%mr�X]�,L['l�yl*b)mԿ+ӆwr$�8Y$G�~��I�\=q{̪h 8�8�[]^�ʇ�Eݹz,0z.��J�H^% މ�&ag/�k+n Ǵk:::d�#hOn3F ��A���m
�o=h>55~�ɩd�(�6 �k�EF(�d#by}�ܝEm (݅Vo�O�j\lY8=ۚ:l�"u�ݸ3AvK5 D >bH�[
S/�c̈́%u'%лx^�L��.;4m!F26X�q�w�?AhBv 6
�R�Ň%/�su�Lx��#Ä�MYZem%^#%�a�c{ M�>�H+1r^����ɡ=��郧rR��Y`W_CFbW��+&�Vk�*v8w I7�,Nd=:u>��Ɣѐ]Z�W,�1{+0�_i
굯��ESFӾ&}Z��-V+��f�&}#K���^&z��6�Iϐ�Rk�Z!Y����Iwkd]U�7
BÑz��*-
O*H6mkɹR RJv4�jw[�i>Z�Oe��;)n'�_C |�eC[gI2T~kF]*P�=eZQ=�n"85Yz'ޒ{־0� ;C�?Bض|8#eUI:.~mƯ� \*��K@%Gb9G(]!�
MAE~!OG
Ͻe�D$��
�=E/fS�C��>X�읛f�c约1cbV!qd��z�ӧ��7ޓ-[&@#�O*�C�24`(�yc<�D�O`7v��Aq-X`V3&;z@��*1�ue|�nH�KU֧f2{M�:�-з��57b�0[|�e^ÿ�ˍt�&_e%�\#d<�l[� +"���ۂ��K-Ӭ6s։¥"UXJMb��X,8.� sf6[�(@P�7�9�!��u�z��׳{���<=v7�/FM7�eg[$|��_�[0~OY�rvJn�Su�7tlc"�@�:
� >D7#@*|�X^c
�0У,&059G-E6%hw2b5���Ӟ$�_yfȅ�v1,#6��7�Sv1^��@:otO<|�X�ep$z�']f�+FRq�OT|j_\�7�:�,,M㥧/nz�RPBYZR$DM� Rzf}u��uK+_/0d[Wy�&�{sn�5E-X;xdn+:cQEa�e=9*�V[]jv۹�f۲M�)
d.%r�R�[+Rm&
Cfan#nǝlt �n%96L]_�Y�
P�/'*'��
|
Network Security & Hardware 
