Users of some versions of Protegrity Inc.s database encryption technology, Secure.Data for Microsoft Corp.s SQL Server 2000, need to patch their systems.
The Stamford, Conn., company late last month put out a patch to cover three buffer-overflow vulnerabilities in Secure.Datas XPs (extended stored procedures)—procedures that are used to do encryption and decryption on databases. XPs are native database hooks, the code for which is written by Protegrity.
According to a CERT Coordination Center report, the vulnerability would allow nonprivileged users to gain administrative access to the database and cause a denial-of-service attack.
Protegrity has tested not only the reported vulnerabilities in releases 2.2.2 and 2.2.3 of Secure.Data but also all code, officials said. All current customers have been informed about the vulnerability. Officials said that no customers have reported security breaks.
In light of vulnerabilities found recently in other security software, such as those in the Snort open-source network intrusion detection system and the Sendmail Mail Transfer Agent, analyst Pete Lindstrom, of Spire Security LLC, was not surprised by the Protegrity news. However, flaws in software such as Protegritys could be harrowing, he said.
"Its potentially more significant, depending on the nature of the attack and the type of product," said Lindstrom, in Malvern, Pa. "Protegrity has a key-management system. If someone can gain access to keys, it would be of more concern than if it were a firewall or an intrusion detection system, relatively speaking."