Microsoft Recently released SP3 for Production, Just today I came across one new vulnerablity like IE6. Let see some info about SP3 first and about the threat to SQL Server..
Some Info about SP3:
1. November 2008 update of SQL Server Books Online has updates of SP3.
2. The 32-bit version of SP3 can be used to update 32-bit instances that run in Windows-on-Windows 64 (WOW64) x86 emulation mode on a 64-bit system. The 32-bit version will not upgrade any components of a 64-bit instance of SQL Server 2005. To upgrade all components of a 64-bit instance of SQL Server 2005, use the 64-bit version of SP3.
3. 3 Type of Packages available for download as x86, IA64, x64.
4. SQL Server 2005 SP3 will upgrade all editions of SQL Server 2005 to SP3 except Express Edition.
5. As Many as 519 Bugs where fixed noted after SP2 are fixed in SP3.
Release Notes [Important]:
http://download.microsoft.com/download/5/7/1/5718A94A-3931-457B-8567-AA0995E34870/ReleaseNotesSQL2005SP3.htm
List of the bugs that are fixed in SQL Server 2005 Service Pack 3:
http://support.microsoft.com/?kbid=955706
Download Link:
http://go.microsoft.com/fwlink/?LinkId=130243
Now info about new threat for SQL Server:
This vulnerability could leave numerous versions of the database software vulnerable to cyberattack.
Microsoft (NSDQ: MSFT) has confirmed the existence of a new and potentially serious security threat to users of its SQL Server database software.
"Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory," the company said in a bulletin published Monday.
The threat is essentially software code that hackers could use to access or alter corporate databases built with SQL Server. The malicious code could allow what's known in IT security as remote code execution, a process by which hackers could, for instance, alter figures in a bank account without ever setting foot on the bank's premises.
Microsoft said SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine, and Windows Internal Database (WYukon) are all potentially vulnerable to the threat. It added, however, that it's not aware of any attacks having actually been carried out.
The threat does not affect SQL Server 7.0 Service Pack 4, SQL Server 2005 Service Pack 3, or SQL Server 2008, Microsoft said.
"This vulnerability is not exposed anonymously. An attacker would need to either authenticate to exploit the vulnerability or take advantage of a SQL injection vulnerability in a Web application that is able to authenticate," Microsoft noted in its security bulletin.
Microsoft said it's continuing to investigate the problem and will issue a security patch if necessary -- either as a special download or as part of its regular monthly security update cycle.
In the meantime, Microsoft is urging customers who believe they've been targeted by hackers using the vulnerability to contact Microsoft customer service, as well as the Federal Bureau of Investigation and the Internet Crime Complaint Center.
(Source: InformationWeek)
So its better to upgrade to SP3 imdly. atleast for internet based databases.
No comments:
Post a Comment
Please do not spam!