December 2008 - Posts

Talk about media hype and anti-MS sentiment, John Leyden writes an article in todays register MS (finally) confirms unpatched SQL Server flaw -> http://www.theregister.co.uk/2008/12/23/sql_server_0day_latest/.

At the end of the day, in order to exploit the problem you need to either a) give the hacker access to your SQL Server to login or b) have so badly written your own application that it is subject to SQL injection attact. In the real world neither of these should be possible if people have done their jobs properly.

The real bug is with the extended stored procedure sp_replwritetovarbin and sec-consult have a good write up here: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt.

Realistically the product is pretty dam sound - how many security exploits have there been on 2005 and 2008 compared to its user base, if you refactor other vendor flaws against the use base rather than licence income then the picture will be clear who has got their code review right.

Tony

Trevor Dwyer is over today and we are 'geeking' out on Microsoft research stuff; anyway - this is way cool: Microsoft Office Labs is a site with a number of projects on there coded by Microsoft part time employees.

I tend to have quite a long todo list that I juggle around for my various clients, now I can rely less on Outlook and put it all in one quick and easy place: http://www.officelabs.com/projects/stickysorter/Pages/default.aspx.

Tony.