RE: MSDE contained in...

From: JP Vossen (JP@counterpane.com)
Date: 01/31/03 

From: JP Vossen <JP@counterpane.com>
To: Tina Bird <tbird@precision-guesswork.com>, incidents@securityfocus.com, intrusions@incidents.org, Ced Bennett <Ced.Bennett@Stanford.edu>, tmd@Stanford.edu, David Hoffman <hoffman@Stanford.edu>, eric.nakagawa@Stanford.edu, mnewton@Stanford.edu, tsg@shmoo.com, tbird65@Stanford.edu
Date: Thu, 30 Jan 2003 16:56:14 -0800

In case you've not seen this:

SQL Security Scanner from MS

http://microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600&displaylang=en01c2c896$ab54dbb0$14Work: 610-409-2765 Cell: 610-812-0930 (TZ: -0500 [EST5EDT])

SQL Server 2000 Security Tools

SQL Server 2000 security tools are used to scan instances of SQL Server and detect security vulnerabilities, and then apply updates to the affected files.

Quick Info

Download Size: 5 KB - 11352 KB
Date Published: 1/30/2003

Version: 8.00.0194

Overview

SQL Scan:
Originally released: January 29, 2003
NOTE: This tool is under continuing development. Future versions will be released in the very near future. The next version will contain functionality to differentiate MSDE instances.

SQL Scan (Sqlscan.exe) scans an individual computer, a Windows domain, or a range of IP addresses for instances of SQL Server 2000 and MSDE 2000, and identifies instances that may be vulnerable to the Slammer worm. SQL Scan runs on computers running Windows 2000 or higher and can identify instances running on Windows NT 4.0, Windows 2000, or Windows XP.

Instances of SQL Server 2000 with Service Pack 2 (SP2) and security patch MS02-039, MS02- 043, MS02-056, or MS02-061, or instances with SP3 or later, are not vulnerable. Computers running SQL Server 7.0 and earlier are not vulnerable.

SQL Scan does not locate instances of SQL Server that are running on Windows 98 or Windows ME. SQL Scan does not detect instances of SQL Server that were started from the command prompt.

NOTE: Shutdown of an infected SQL Server instance may not complete successfully. You may need to use system management tools to terminate an infected process.

[...]

__________________________________________
JP Vossen, CISSP
Counterpane Internet Security: Integration Manager
jp@counterpane.com
PGP: 4A66 F380 061B ED7E 2D5B 68B0 48C7 9B0E C1ED E7FA
Work: 610-409-2765 Cell: 610-812-0930 (TZ: -0500 [EST5EDT])

> -----Original Message-----
> From: Tina Bird [mailto:tbird@precision-guesswork.com]
> Sent: Monday, January 27, 2003 11:12 PM
> To: incidents@securityfocus.com; intrusions@incidents.org;
> Ced Bennett;
> tmd@Stanford.edu; David Hoffman; eric.nakagawa@Stanford.edu;
> mnewton@Stanford.edu; tsg@shmoo.com; tbird65@Stanford.edu;
> list-ni@counterpane.com
> Subject: MSDE contained in...
>
>
> Chalk this all up to "things I wish I didn't know": I've
> been amused and
> skeptical at the list of applications people have claimed
> include MSDE,
> that are therefore vulnerable to SQL Slammer. In particular,
> I had a hard
> time believing that Visio used it. Heck, I've got Visio, and
> I'm pretty
> sure it doesn't open any network connections.
>
> So I prowled around the Web, and found this:
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
hnet/prodtechnol/visio/Visio2002/maintain/vis_msde.asp

MSDE is integrated with these Microsoft applications:

Microsoft Visio 2000 Enterprise Edition AutoDiscovery & Layout (AD&L)
solution
AD&L solution from Microsoft Visio Enterprise Network Tools 2002
Microsoft SharePoint Team Services (a Microsoft FrontPage Server
Extensions 2002 companion product)
Microsoft Project Central (a Microsoft Project 2000 companion product)
Microsoft Application Center

The following products ship MSDE on their product CD and can use MSDE as a
database:

Microsoft Access
Microsoft Office 2000
Microsoft Visual Studio 6.0

--> Bleh. I stand corrected.

tbird 

-- 
I, on the other hand, do not work. I enjoy the slothful life of an artist,
and while away the hours in meaningless aesthetic pursuits punctuated by
bouts of hedonistic debauchery and an occasional nap.
                                              -- David Rinehart
http://www.shmoo.com/~tbird
Log Analysis http://www.loganalysis.org
VPN http://vpn.shmoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Database Connectivity
    ... But, MSDE has been know to work very reliably in small user LANS, ... > just a simple step to attach the tables from MSDE to SQL Server. ... database, or pay for an "industrial-strength" version of it when there ... Don't like Microsoft?, sounds like a personal problem to me. ...
    (comp.lang.python)
  • Re: Permissions problem on SBS 2003 R2 for SQL Server 2005 clients
    ... Mixed mode authentication is there for a reason. ... Microsoft strongly recommends Windows authentication for a purely ... I DO NOT DO on SQL Server systems unless necessary. ... security is no place for workarounds and you have to understand that SQL ...
    (microsoft.public.windows.server.sbs)
  • Critical Alert Update - W32.Slammer
    ... It's not clear if SQL Server 2000 SP1/SP2 includes the ... Microsoft SQL Desktop ... and all applications that install ... >most recent cumulative SQL Server security patch, ...
    (microsoft.public.security)
  • Re: are ado questions allowed here?
    ... Microsoft re MDAC ... This article describes the past, present, and future of Microsoft data ... * OLE DB (including SQL Server OLE DB Provider, ... will be available on the 64-bit Windows operating system. ...
    (comp.databases.ms-access)
  • Re: Is there any way to prevent hacker trying to guess sa password?
    ... My point is that Microsoft should know by ... Having a SQL Server or several should NOT need a "security team", ... because MS can't provide a simple secure solution. ...
    (microsoft.public.sqlserver.security)