Microsoft on Monday warned customers that attack code has been released targeting a critical vulnerability in older versions of its widely used SQL Server database software, and urged users to apply a temporary workaround.
The bug was first reported to Microsoft last April by an Austrian security consulting company, SEC Consult. But the firm apparently grew tired of waiting for Microsoft to decide when or whether it would release a patch, disclosed the flaw two weeks ago and published proof-of-concept exploit code.
According to SEC Consult, Microsoft has had a patch ready for nearly three months, but has declined to release it.
In a security advisory issued late Monday, Microsoft said that systems running SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon) can be exploited, then hijacked by hackers.
The bug is in the "sp_replwritetovarbin" SQL Server extended stored procedure.
Newer versions of the popular software, which is used by many Web sites to power their back-end databases, are immune from attack, however. Those versions include SQL Server 7.0 Service Pack 4 (SP4), SQL Server 2005 SP3 and SQL Server 2008. That last version, the newest in the line, was released to manufacturing just last August.
As it often does, Microsoft downplayed the threat even as it issued the advisory. "We are aware that exploit code has been published on the Internet," said Bill Sisk, a company spokesman, in an e-mail Monday. "However, we are not aware of any attacks attempting to use the reported vulnerability."
Attackers can exploit the bug remotely if they are able to gain access to the server through a SQL injection attack against a vulnerable Web application running on the system, Sisk acknowledged.
Successful SQL injection attacks are hardly rare; hackers have managed to compromise huge numbers of sites, even prominent commercial domains, using such attacks. Several thousand legitimate sites, for example, were hacked via SQL injection attacks in the last few weeks by criminals who then planted rogue code on their pages and attacked visitors running Internet Explorer (IE). Microsoft plugged the IE hole last Wednesday with the second emergency patch in a two-month span.