Infosecurity.US

News of the latest Microsoft Corporation (NasdaqGS: MSFT) SQL Server security ball drop… This time, Sentrigo, a security vulnerability company, and publishers of Hedgehog (an outstanding product by the way) have discovered an exploitable flaw in the crufty SQL Servers’ process memory data stream. But wait, there’s more! Microsoft’s failure to supply an appropriate patch, has apparently forced Sentrigo to go forth and release their own workaround. Astonishing. More information, and a short snippet of fascinating prose appears after the jump.

From DarkReading’s Tim Wilson: “SQL Vulnerability Leaves Passwords In The Clear, Researchers Say“

“With no patch forthcoming from Microsoft, Sentrigo launches workaround for flaw…”
“A vulnerability in Microsoft SQL Server could enable any user with administrative privileges to openly see the unencrypted passwords of all other users, researchers said today. Researchers at database security vendor Sentrigo say that in SQL Server 2000 or 2005, administrators can view all of the passwords used since the server went online by reviewing its process memory. Under SQL Server 2008, the problem has been partially fixed, but an administrator with local access and a simple debugger could still view the passwords, Sentrigo says. The vulnerability is most likely an insider threat because it requires administrative privileges, says Slavik Markovich, CTO of Sentrigo. However, it is also possible for a hacker to take advantage of the flaw by exploiting SQL injection, he says. The flaw may not directly affect the data in the database, since an administrator would have access to that data already, Slavik says. But many people reuse their passwords for other applications, and it is possible that the vulnerability might lead to the compromise of other users’ work or personal accounts…”