Public announcements of SQL Security Vulnerabilities

From: Chris Wood (chris.wood@gov.ab.ca)
Date: 07/27/02

• Next message: Tom Grassi: "SQL 2000 and AD problem"
• Previous message: Peter Saddow [MS]: "Re: MS02-039 Installation Question"
• Next in thread: BP Margolin: "Re: Public announcements of SQL Security Vulnerabilities"
• Reply: BP Margolin: "Re: Public announcements of SQL Security Vulnerabilities"
• Reply: Mary Chipman: "Re: Public announcements of SQL Security Vulnerabilities"
• Reply: Neil Pike: "Re: Public announcements of SQL Security Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Chris Wood" <chris.wood@gov.ab.ca>
Date: Fri, 26 Jul 2002 16:06:52 -0600

Hi,

I would like some comments from my peers on a current situation.

Somebody finds a security problem in MS SQL Server and informs Microsoft.
Microsoft come out with a patch and announce it here, among other places
too, with some details, severity level and a thank you to the company or
individual who found the vulnerability. Next, sometimes within hours, a
means to exploit the vulnerability is posted to a security web site giving
much more detail and in some cases code to test out the exploit.

Whilst I feel it is helpful, because I can now fully understand the
vulnerability, it is putting some pressure on me to make a hasty decision
about implementing the security patch. It can give little time for testing
any SQL application, that might be affected, before it MUST be implemented
in the Production environment.

Does anyone have any comments to add?

Thanks

Chris Wood
Alberta Department of Energy
CANADA

• Next message: Tom Grassi: "SQL 2000 and AD problem"
• Previous message: Peter Saddow [MS]: "Re: MS02-039 Installation Question"
• Next in thread: BP Margolin: "Re: Public announcements of SQL Security Vulnerabilities"
• Reply: BP Margolin: "Re: Public announcements of SQL Security Vulnerabilities"
• Reply: Mary Chipman: "Re: Public announcements of SQL Security Vulnerabilities"
• Reply: Neil Pike: "Re: Public announcements of SQL Security Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages SecurityFocus Microsoft Newsletter #176 ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ... (Focus-Microsoft) SecurityFocus Microsoft Newsletter #242 ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ... (Focus-Microsoft) [NT] Cumulative Security Update for Internet Explorer (MS04-025) ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ... (Securiteam) SecurityFocus Microsoft Newsletter # 87 ... Meeting IT Security Benchmarks Through IT Audits ... MICROSOFT VULNERABILITY SUMMARY ... Bypassing Windows 2000 Domain Password settings ... (Focus-Microsoft) SecurityFocus Microsoft Newsletter #75 ... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ... (Focus-Microsoft)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint