Re: Public announcements of SQL Security Vulnerabilities

From: Hal (Hal_Berenson@despammed.com)
Date: 08/01/02 

From: "Hal" <Hal_Berenson@despammed.com>
Date: Thu, 1 Aug 2002 10:19:56 -0700

Neil has it right. The way this mostly works is as
follows:

- Hacker X finds a security problem in your product.
They send email saying that they will publish the exploit
in some rediculously short time like 48 hours. You send
developers off to find/fix the problem and you send
someone else to talk to the hacker and try to convince
him (or her) to give you more time before going public.
Usually you get a little more time, but not a lot of time.

- You generate the fix and as soon as its out there the
Hacker goes public with the exploit.

Now I think that's irresponsible on their part, but
that's the current culture. I would rather not see the
exploits published, and if they are then it should be at
least a week after the fix was made available. I don't
recall hackers of the 70s publishing the exploits. I
think we were a far more responsible bunch (and the term
had generally positive connotations at the time).

Now, of course, the best way to address this problem is
for the SQL Server group to find and close these holes
before the hackers have a chance to exploit them. They're
working on that.

Hal

Ps: If I were a customer whose system was compromised
because of the published exploit I'd certainly consider
having my lawyers explore every avenue for taking it out
of the hacker's hide. That's not easy, but I think they
get too much of a free ride right now. The lack of
personal consequences encourages them to be irresponsible.

>-----Original Message-----
> Chris - all you can do is thank your lucky stars that
in most instances, the
>people that find these exploits do allow MS to develop
and publish a fix before
>they post the exploit for everyone to see/use. MS can't
stop them publishing
>the information.
>
>> I would like some comments from my peers on a current
situation.
>>
>> Somebody finds a security problem in MS SQL Server and
informs Microsoft.
>> Microsoft come out with a patch and announce it here,
among other places
>> too, with some details, severity level and a thank you
to the company or
>> individual who found the vulnerability. Next,
sometimes within hours, a
>> means to exploit the vulnerability is posted to a
security web site giving
>> much more detail and in some cases code to test out
the exploit.
>>
>> Whilst I feel it is helpful, because I can now fully
understand the
>> vulnerability, it is putting some pressure on me to
make a hasty decision
>> about implementing the security patch. It can give
little time for testing
>> any SQL application, that might be affected, before it
MUST be implemented
>> in the Production environment.
>>
>> Does anyone have any comments to add?
>
> Neil Pike MVP/MCSE. Protech Computing Ltd
> Reply here - no email
> SQL FAQ (484 entries) see
> http://forumsb.compuserve.com/gvforums/UK/default.asp?
SRV=MSDevApps
> (faqxxx.zip in lib 7)
> or www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
> or www.sqlserverfaq.com
> or www.mssqlserver.com/faq
>
>.
>

Relevant Pages

  • security
    ... There was a message on cnbc about a security problem with ... windows and I need to find out how to counter the ... possiblity that a hacker could get credit card numbers. ...
    (microsoft.public.win2000.security)
  • Re: can hackers run programs on my computer??
    ... The Run item in the Start Menu is not a security problem in itself. ... hacker is ever able to run programs on your computer, ... > in the start menu to start programs please need an aswer ... > soon i dont need to know how just a yes or a no ...
    (microsoft.public.win2000.security)
  • Re: [Full-disclosure] Publishing exploit code ruled illegal in France?
    ... nothing would have happened to the hacker, if he had not published his ... now french guys will think twice before publishing eye-catching ... I'm french, I know Guillaume and don't like ...
    (Full-Disclosure)
  • Re: Internet password attacks
    ... Its refreshing to hear someone NOT say "SQL server was not designed to allow ... change the sa account. ... Given that the sa account is fixed, the hacker only needs to ... I think Microsoft could easily fix this in a service pack if they wanted to. ...
    (microsoft.public.sqlserver.security)
  • Re: sa loginname being hacked
    ... Can't disable or rename SA in SQL Server 2000 but you can rename in 2005. ... Auto blocking of IPs can be tricky to do right especially if the attacker is ... I grew up with Oracle then moved to SQL Server. ... > I do a daily check using netstat -n and then just add new SQL hacker IP ...
    (microsoft.public.sqlserver.security)