Tuesday, December 23, 2008

Microsoft Gives Us A Lump of SQL Coal for Christmas

It could have been an Easter present, but instead, Microsoft has chosen to dump a gift-wrapped SQL turd in our Christmas stocking.

Thanks for that.


A security researcher had pointed out the SQL flaw in April, and only went public with exploit code after months and months of patching inaction by Redmond. And they wonder why I stopped being an MCT several years ago and ignored their repeated request to renew my Microsoft Partner status for 2009.


The vulnerability in question concerns a remote memory-corruption vulnerability because it fails to properly handle user-supplied input. Authenticated attackers could exploit this flaw to execute arbitrary code and completely compromise affected computers. Even if the code execution fails to compromise your app or SQL box, it will probably cause a denial-of-service. Have fun with that, e-commerce sites struggling in the face of IT layoffs in a faltering economy.


The vulnerability affects older versions of the software, including Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database, according to the advisory.

Bernhard Mueller, the security researcher who discovered the flaw and then went public with the details after waiting in vain for Microsoft to acknowledge and fix the weakness, is currently being pelted with coal by both Microsoft and other security researchers, who call his public release of the vulnerability "irresponsible
".

I'm sure we'll see more dialogue on the ethics and responsibilities of researchers to notify vendors of the flaws they discover but to zip their lips until the vendor gets around to protecting their customers by updating the insecure product the customer paid good money for in the first place.

You may be able to tell that I'm torn by this - we wouldn't let Ford off the hook if someone told them the doors and wheels kept falling off of the Escape hybrid, and some serious lawsuits would follow if Ford took six months before publicly admitting the problem and remediating or replacing the SUV. I'm not sure why software makers are given such latitude, either by consumer groups or by the massive corporations who purchase these repeatedly-insecure chunks of code. SDLC, anyone? I guess time-to-market is more important.



No comments:

Post a Comment

Please tell me what you think.