Re: Public announcements of SQL Security Vulnerabilities

From: Chris Wood (chris.wood@gov.ab.ca)
Date: 07/29/02 

From: "Chris Wood" <chris.wood@gov.ab.ca>
Date: Mon, 29 Jul 2002 08:58:57 -0600

BP,

What I am questioning is that the exploit script appear so early after the
fix is issued. Is a few hours an ethical amount of time. Remember that the
internet is always on and a fix and exploit code could be published after we
finish work and before we start again the following day or even over a
weekend.

The current set of comments all seem to think that we should thank our lucky
stars that the exploit code does not appear before the bug is fixed.

Chris

"BP Margolin" <bpmargo@attglobal.net> wrote in message
news:#dJ0FLSNCHA.2604@tkmsftngp11...
> Chris,
>
> What are the alternatives? That Microsoft not offer a security patch and
> make an announcement about it?
>
> All that Microsoft can do is control Microsoft (alright, I know I'm
inviting
> cheap shots here).
>
> If someone else posts code to exploit the vulnerability, on a
non-Microsoft
> Web site, what can Microsoft do to prevent that?
>
> Or perhaps I've misunderstood your question :-)
>
> -------------------------------------------
> BP Margolin
> Please reply only to the newsgroups.
> When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.) which
> can be cut and pasted into Query Analyzer is appreciated.
>
> "Chris Wood" <chris.wood@gov.ab.ca> wrote in message
> news:ewvRgCPNCHA.1696@tkmsftngp09...
> > Hi,
> >
> > I would like some comments from my peers on a current situation.
> >
> > Somebody finds a security problem in MS SQL Server and informs
Microsoft.
> > Microsoft come out with a patch and announce it here, among other places
> > too, with some details, severity level and a thank you to the company or
> > individual who found the vulnerability. Next, sometimes within hours, a
> > means to exploit the vulnerability is posted to a security web site
giving
> > much more detail and in some cases code to test out the exploit.
> >
> > Whilst I feel it is helpful, because I can now fully understand the
> > vulnerability, it is putting some pressure on me to make a hasty
decision
> > about implementing the security patch. It can give little time for
testing
> > any SQL application, that might be affected, before it MUST be
implemented
> > in the Production environment.
> >
> > Does anyone have any comments to add?
> >
> > Thanks
> >
> > Chris Wood
> > Alberta Department of Energy
> > CANADA
> >
> >
>
>

Relevant Pages

  • Re: HotFix 835732 Breaks EMF Vector graphics from Microsoft
    ... track the fix progress if you'd like. ... > We are also having a major problem with existing EMF files> and the 835732 security patch. ... >>This file CANNOT be inserted into a Microsoft Word or> PowerPoint document. ...
    (microsoft.public.windowsupdate)
  • RE: MS03-031 issue
    ... A supported fix is now available from Microsoft, ... This fix may receive additional testing. ... call Microsoft Product Support Services so that the ... Does not have the MS03-031 security patch installed. ...
    (microsoft.public.sqlserver.security)
  • Re: libpng exploit.. possible interim fix?
    ... Microsoft appears to have a policy that they avoid discussing ... vulnerabilities in most cases until a patch is available. ... they feel that acknowledging a vulnerability before there is a fix puts you ...
    (microsoft.public.win2000.security)
  • Re: Irfan View WMF Vulnerability Looks You Shouldnt Use It with Unknown Images
    ... type, wmf. ... Also, many people use Win 98, and who knows if Microsoft will fix ... This particular vulnerability is being actively exploited by multiple ...
    (rec.photo.digital)
  • Re: Public announcements of SQL Security Vulnerabilities
    ... All that Microsoft can do is control Microsoft (alright, ... If someone else posts code to exploit the vulnerability, ... > about implementing the security patch. ... > Chris Wood ...
    (microsoft.public.sqlserver.security)