December isn’t turning out to be a great month for Microsoft security — unless you’re a hacker.
Late Monday, Microsoft issued an advisory warning of a new zero-day vulnerability against its SQL Server database application. The warning is the second zero-day vulnerability (define) alert from Microsoft (NASDAQ: MSFT) this month.
The vulnerability could allow for remote code execution on affected servers that could leave users at risk. The SQL vulnerability, however, is not easily exploitable in that it requires the attacker to already have access to the host system.
“To successfully exploit this vulnerability, an attacker must be a local, or remote, authenticated user on the system,” Bill Sisk, security response communications manager for Microsoft, said in a statement. “However, if an attacker has already compromised a Web server via SQL injection, they could exploit this vulnerability as an unauthenticated user.”
The new zero-day SQL flaw is also limited in its scope, as it doesn’t affect all currently supported versions of Microsoft’s SQL Server. According to Microsoft, the vulnerable versions are: Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). The more recent Microsoft SQL Server 2008 and Microsoft SQL Server 7.0 Service Pack 4 versions of SQL server are not at risk.
Microsoft noted in its advisory that it is aware that exploit code has been published on the Internet for the SQL vulnerability. However, the company added that it currently is not aware of active attacks that use the code.
The actual threat stems from an invalid parameter check inside of a Microsoft SQL extended stored procedure called “sp_replwritetovarbin”.
According to a blog post from Patrick Nolan, a handler at the Internet Storm Center, the SQL vulnerability was originally reported to Microsoft in April.