From InfoWorld: Microsoft Monday warned customers that attack code has been released targeting a critical vulnerability in older versions of its widely-used SQL Server database software, and urged users to apply a temporary workaround.
The bug was first reported to Microsoft last April by an Austrian security consulting company, SEC Consult. But the firm apparently grew tired of waiting for Microsoft to decide when or whether it would release a patch, disclosed the flaw two weeks ago and published proof-of-concept exploit code.
According to SEC Consult, Microsoft has had a patch ready for nearly three months, but has declined to release it.
In a security advisory issued late Monday, Microsoft said that systems running SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) can be exploited, then hijacked by hackers.
The bug is in the "sp_replwritetovarbin" SQL Server extended stored procedure.
View: Article @ Source Site