Re: Public announcements of SQL Security Vulnerabilities
From: Neil Pike (neilpike@compuserve.com)
Date: 07/28/02
- Next message: Jasper Smith: "Re: Appling hotfix 8.00.0636 (Security Bulletin MS02-039)"
- Previous message: Maged Michel: "Appling hotfix 8.00.0636 (Security Bulletin MS02-039)"
- In reply to: Chris Wood: "Public announcements of SQL Security Vulnerabilities"
- Next in thread: Hal: "Re: Public announcements of SQL Security Vulnerabilities"
- Reply: Hal: "Re: Public announcements of SQL Security Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Jul 2002 18:24:16 +0100 From: Neil Pike <neilpike@compuserve.com>
Chris - all you can do is thank your lucky stars that in most instances, the
people that find these exploits do allow MS to develop and publish a fix before
they post the exploit for everyone to see/use. MS can't stop them publishing
the information.
> I would like some comments from my peers on a current situation.
>
> Somebody finds a security problem in MS SQL Server and informs Microsoft.
> Microsoft come out with a patch and announce it here, among other places
> too, with some details, severity level and a thank you to the company or
> individual who found the vulnerability. Next, sometimes within hours, a
> means to exploit the vulnerability is posted to a security web site giving
> much more detail and in some cases code to test out the exploit.
>
> Whilst I feel it is helpful, because I can now fully understand the
> vulnerability, it is putting some pressure on me to make a hasty decision
> about implementing the security patch. It can give little time for testing
> any SQL application, that might be affected, before it MUST be implemented
> in the Production environment.
>
> Does anyone have any comments to add?
Neil Pike MVP/MCSE. Protech Computing Ltd
Reply here - no email
SQL FAQ (484 entries) see
http://forumsb.compuserve.com/gvforums/UK/default.asp?SRV=MSDevApps
(faqxxx.zip in lib 7)
or www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
or www.sqlserverfaq.com
or www.mssqlserver.com/faq
- Next message: Jasper Smith: "Re: Appling hotfix 8.00.0636 (Security Bulletin MS02-039)"
- Previous message: Maged Michel: "Appling hotfix 8.00.0636 (Security Bulletin MS02-039)"
- In reply to: Chris Wood: "Public announcements of SQL Security Vulnerabilities"
- Next in thread: Hal: "Re: Public announcements of SQL Security Vulnerabilities"
- Reply: Hal: "Re: Public announcements of SQL Security Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
