Microsoft said that denying permissions to the "'sp_replwritetovarbin" extended stored procedure would protect vulnerable systems, and provided instructions on how to do that in the advisory.
Sisk didn't commit the company to a fix, or a timeline for one, but the boilerplate phrasing he used -- "Microsoft will continue to investigate this vulnerability and upon completion of this investigation, will take the appropriate actions" -- typically leads at some point to a patch.
SEC Consult, however, claimed Microsoft completed a fix in September.
The company, which is headquartered in Vienna, went public with the vulnerability on Dec. 9 by publishing information and sample attack code in an advisory on its site, as well as to several security mailing lists, including Bugtraq and Full Disclosure.
In its disclosure, SEC Consult said it had been told by Microsoft in a September e-mail that a patch was finished. "The release schedule for this fix is currently unknown," SEC Consult's advisory read.
The Austrian security firm also included a timeline it said reflected the communications between it and Microsoft. According to that timetable, SEC Consult reported the vulnerability to Microsoft on April 17, 2008, and last heard back from Microsoft on Sept 29. Four times since then -- on Oct. 14, Oct. 29, Nov. 12, and Nov. 28 -- SEC Consult asked Microsoft for an update on the patch release status, but received no reply.
Microsoft did not immediately respond to questions about SEC Consult's claims, including patch availability and the timeline.
Computerworld is an InfoWorld affiliate.