Thursday, December 25, 2008

Our Worms & Exploits blog made the news for "An SQL Server Zero-Day Exploit In Time For Christmas"

Security Pro News guys have release a news on the topic "An SQL Server Zero-Day Exploit In Time For Christmas". Here is the news on Worms&Exploits Blog.

*****NEWS SNIPPET*****

Worms and Exploits doesn't make it sound all that difficult though:

"This could be exploited by sending a payload with specially crafted values which could result in a memory corruption, and then this could be exploited to execute arbitrary code with the privileges of the current user. But authentication is required to exploit this vulnerability, it is also exploitable via SQL injection, by using the authentication credentials of the vulnerable web application. A proof-of-concept is already been publicly available at places for this vulnerability."

The author offers some workarounds, though.

Microsoft offers this reassurance as well: "…due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack."

*****SNIPPET ENDS*****

Contact us for anything & everything.

- EF

No comments: