Microsoft Knows about the SQL Bug — KB961040

By Paul | Dec 30, 2008

Microsoft confirmed some information about the this little SQl bug and issued a Statement in an Security Advisory 961040 and in it Microsoft said:

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

[via Microsoft Technet]

One researcher, a Bernhard Mueller, is claiming that Microsoft has the patch available and ready to patch this bug. According to him Microsoft this patch is done and isn’t scheduled to be release yet. I don’t know when they will patch this but if Techworld is right it will be an out of cycle patch. I am sure that if Microsoft does release it in cycle then it will be this coming patch cycle. January 13, 2009 is the next cycle of patches for Microsoft and should be available at 10pm PST time. If Microsoft doesn’t release the patch soon they will undoubtedly wait till Patch Tuesday. In my previous article I talked about this to a point the workaround so if you are using an SQL server you need to do this work around.

Share and Enjoy: