Microsoft Raises Alarm Over SQL Server Flaw
In a Monday security bulletin, Microsoft said the flaw affects SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon).
Systems running SQL Server 2008, SQL Server 7.0 Service Pack 4 and SQL Server 2005 Service Pack 3 aren't affected, according to Microsoft.
Security researcher Bernhard Mueller of SEC Consulting published details of the SQL Server flaw on Dec. 9, after initially notifying Microsoft of the vulnerability in April.
According to SEC Consulting's advisory, Microsoft claimed to have developed a fix for the issue in September, but didn't offer details on when it would be released.
Mueller's last contact with Microsoft was Sept. 29, and the researcher made three additional attempts to contact the company before going public with the exploit. Microsoft didn't include a fix for the SQL Server flaw in its most recent Patch Tuesday release on Dec. 9.
Microsoft said in the bulletin that it's aware that exploit code for the vulnerability is circulating online, but isn't aware of any active exploits. Microsoft is continuing to investigate, and is advising customers to disable the "sp_replwritetovarbin" procedure as a workaround.
"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process or an out-of-cycle security update, depending on customer needs," Microsoft said in the bulletin.