Re: Public announcements of SQL Security Vulnerabilities

From: BP Margolin (bpmargo@attglobal.net)
Date: 07/27/02 

From: "BP Margolin" <bpmargo@attglobal.net>
Date: Sat, 27 Jul 2002 00:07:36 -0400

Chris,

What are the alternatives? That Microsoft not offer a security patch and
make an announcement about it?

All that Microsoft can do is control Microsoft (alright, I know I'm inviting
cheap shots here).

If someone else posts code to exploit the vulnerability, on a non-Microsoft
Web site, what can Microsoft do to prevent that?

Or perhaps I've misunderstood your question :-)

-------------------------------------------
BP Margolin
Please reply only to the newsgroups.
When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.) which
can be cut and pasted into Query Analyzer is appreciated.

"Chris Wood" <chris.wood@gov.ab.ca> wrote in message
news:ewvRgCPNCHA.1696@tkmsftngp09...
> Hi,
>
> I would like some comments from my peers on a current situation.
>
> Somebody finds a security problem in MS SQL Server and informs Microsoft.
> Microsoft come out with a patch and announce it here, among other places
> too, with some details, severity level and a thank you to the company or
> individual who found the vulnerability. Next, sometimes within hours, a
> means to exploit the vulnerability is posted to a security web site giving
> much more detail and in some cases code to test out the exploit.
>
> Whilst I feel it is helpful, because I can now fully understand the
> vulnerability, it is putting some pressure on me to make a hasty decision
> about implementing the security patch. It can give little time for testing
> any SQL application, that might be affected, before it MUST be implemented
> in the Production environment.
>
> Does anyone have any comments to add?
>
> Thanks
>
> Chris Wood
> Alberta Department of Energy
> CANADA
>
>

Relevant Pages