微软在周一向所有的网络管理员发出警告:一名安全研究员公布了一个微软还未来得及修复的SQL数据库上的漏洞。

      ***者可以利用这个漏洞来侵入基于微软产品来实现动态网页的网站。这个漏洞存在于以下微软产品中:SQL server 2000, SQL server 2005, SQL server 2005 express edition, SQL desktop engine, SQL server 2000 和 Windows内部数据库。

      这位名叫Bernhard Mueller的安全研究员来自“SEC漏洞实验室”。他表示早在今年四月份就已告知微软发现了这个漏洞。但微软一直未能向他透露修复工作的进展情况,基于这个原因,他决定公开这个漏洞。

      目前至少有一家安全公司已经把Mueller列入到他们的“顽皮的人”的列表中。

      Shavlik Technologies的CTO Eric Schultze表示“这样曝光漏洞是非常不负责任的。他应该通过合理的途径向微软报告。然而,这家伙没有足够的耐心,以至于在微软发布补丁之前就公布了这个漏洞。这样所谓的安全研究员为了提高自己的知名度,而不惜冒着使众多服务器被黑和大众的私人信息被泄露的风险”。

      网络犯罪已经逐步把目标指向正规的网站,利用这些网站来传播恶意的代码。在过去的两周,有成千上万的网站被***利用微软刚刚打过补丁的IE漏洞***了。

      微软已经针对这个漏洞发布了临时的解决办法。此外,微软最新的数据库产品不受这个漏洞的威胁,这些产品包括:SQL server 7 SP4, SQL server 2005 SP3 和 SQL server 2008。

原文:
Microsoft flaw may add to SQL-injection troubles
Published: 2008-12-23

Microsoft warned network and Web administrators on Monday that a security researcher had published an exploit for an unpatched flaw in the company's structured query language (SQL) database software.

The information could allow malicious attackers the ability to compromise Web sites that use Microsoft's software to serve up dynamic Web pages. The vulnerability affects older versions of the software, including Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database, the company said in an advisory.

The security researcher who discovered the issue and released the flaw, Bernhard Mueller of SEC Consult Vulnerability Lab, stated in an advisory that he had contacted Microsoft in April about the vulnerability but decided to release it after the company failed to update him on its progress in patching the issue.

At least one security firm put Mueller on its "naughty list."

"This is an example of irresponsible disclosure," Eric Schultze, chief technology officer of Shavlik Technologies, said in a statement sent to SecurityFocus. "The person that found (the) issue took the proper steps to report it to Microsoft, however, they grew impatient with Microsoft and decided to release exploit code before Microsoft announced a patch. This so-called security researcher has therefore placed thousands of servers and potentially (an) untold number of person’s privately identifiable information at risk for purposes of their own popularity.

Online criminals have increasingly targeted legitimate Web sites as a way to host and spread malicious code. In the past two weeks, thousands of Web sites have been hacked to host an attack taking advantage of a serious flaw in Internet Explorer that Microsoft only recently patched.

Microsoft has posted instructions on how to work around the issue. In addition, the company's latest versions of its database software — including Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 — are not affected by the vulnerability.