Tuesday, December 23, 2008

MS-SQL 0-day vulnerability remotely exploitable

Microsoft just announced the MS-SQL sp_rewrite vulnerability I blogged about last Wednesday and looks like
mainstream news
is just picking up and reporting on it.

The attack has just morphed into a critical remote flaw as it's reported it can now be exploited through SQL injection. This is an ASPROX type attack but much more dangerous as it allows attackers to gain full privilege to run commands on the SQL server as the administrator.

If your a Sentinel IPS customer, the previous signature and our older SQL injection signatures adequately defend from this attack so rest easy and enjoy the holidays!


Why is this considered a 0-day if we have known about it for a week? Well there is exploit code available and no patch yet from Microsoft... We call that 0-day as attackers can wreck havoc with no patch defenses available.

Wednesday, December 17, 2008

Internet Explorer XML 0-day and MS-SQL vulnerabilities

Two new critical MS vulnerabilities released in early January the IE flaw (buffer overflow in the XML parser) is particularly nasty. This is a client side bug which can be triggered by clicking a malicious link from anywhere including emails...

This bug is rated "Extremely Critical", easiest workaround is to use Firefox for browsing until patched.

http://www.microsoft.com/technet/security/advisory/961051.mspx
http://secunia.com/advisories/33089/

The MS-SQL white has potential currently only allows privilege escalation and no remote code execution.

http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

Sentinel IPS has signatures to protect against both.

Expoit Code Release for IE XML vuln:
http://www.milw0rm.com/exploits/7410
http://www.milw0rm.com/exploits/7477
http://www.milw0rm.com/exploits/7403

As always patch, patch, patch!