VOX

Hola,

On Dec 22 Microsoft issued an advisory concerning SQL. I am running BE 11D and 12.0. Both use SQL Express. I was wondering if Symantec has any security patches available or if I need to be concerned.The advisory read as follows.

Security vulnerabilities involving SQLServer 2000/2005 and MSDE 2000 -- advisory posted by Microsoft late yesterday

Microsoft has said that they are aware that a new security exploit for SQLServer has been posted on the Internet which allows arbitrary code execution by authenticated remote connections by misusing a built-in stored procedure.

Microsoft does not yet have an update/patch.  The current 'fix' is to deny permissions on the extended stored procedure "sp_replwritetovarbin"  (via 'deny execute on sp_replwritetovarbin to public').

We believe the major risks to Yale servers w/ SQLSERVER (and MSDE) exist where end users have accounts and passwords on SQLServer databases (or native NT authentication is allowed for SQLSERVER login) AND use SQL

query level access.   I've appended Microsoft's advisory section on

the major impact of their workaround recommendation.

The exposure to risk is mitigated by:

*       This issue does not affect supported editions of Microsoft SQL

Server 7.0 Service Pack 4, Microsoft SQL Server 2005

        Service Pack 3, and Microsoft SQL Server 2008.

*       Only apparently affected are SQL Server 2000, 2005 and MSDE 2000

(plus Windows Internal Database SP2 / WYukon).

        Hopefully we've have upgraded from these in the data center and are running few or none of them.

*       Anonymous sessions are not a threat -- valid user accounts and

passwords must be used to connect.

*       We do not allow SQLSERVER protocol access remotely from the Internet

-- but we do in many cases allow SQLserver

        access to our database servers (some are allowed access from campus, others from a restricted list of webserver and/

        or workstations).

Details:

Affected Software:

Microsoft SQL Server 2000 Service Pack 4 Microsoft SQL Server 2000 Itanium-based Edition Service Pack 4 Microsoft SQL Server 2005 Service Pack 2 Microsoft SQL Server 2005 x64 Edition Service Pack 2 Microsoft SQL Server 2005 with SP2 for Itanium-based Systems Microsoft SQL Server 2005 Express Edition Service Pack 2 Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 2 Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 4 Microsoft SQL Server 2000 Desktop Engine (WMSDE) Windows Internal Database (WYukon) Service Pack 2

Non-Affected Software:

Microsoft SQL Server 7.0 Service Pack 4

Microsoft SQL Server 2005 Service Pack 3 Microsoft SQL Server 2005 x64 Edition Service Pack 3 Microsoft SQL Server 2005 with SP3 for Itanium-based Systems Microsoft SQL Server 2008 Microsoft SQL Server 2008 x64 Edition Microsoft SQL Server 2008 for Itanium-based Systems

Impact of Workaround:

Disabling the sp_replwritetovarbin extended stored procedure prevents updates to subscription tables by all users.

The impact of this workaround only affects customers that use transactional replication with updatable subscriptions.

Customers using transactional replication with read-only subscriptions, bi-directional transactional replication, or peer-to- peer transactional replication are not impacted.

For more information on transactional replication with updatable subscriptions, see MSDN.

Add'l Details:

There is a newly disclosed vulnerability in SQL Server and MSDE which has the potential to be a serious zero-day attack vector against SQLServer database servers on campus networks via remote connections as well as via exploitation of SQL injection on websites.

A successful exploit can provide remote code execution -- it normally required an authenticated login (a SQL injection attack on a website will normally also be an authenticated session).

An update is not yet available --the workaround is to disable the stored procedure sp_replwritetovarbin stored procedure.

Microsoft has posted an advisory warning of exploit code posted on the Internet with some additional information (the versions of SQLServer vulnerable and not as well as other mitigating

factors) at: