Editorials

New SQL Server Injection-Based Attack Found

by Ben Taylor

SelectViews Video Show
Community thoughts on SSD drives, moving jobs between servers, last update date tips. Also, indexed views, database hack recovery, foreign key pros and cons and more. Each show features the Accidental DBA Tip, the 60-second SQL Server Tip of the Day, Noise and News in the Industry and a lot more.
[Watch The Show Here]

New SQL Server Injection-Based Attack Found
There’s a new SQL Server-oriented injection attack that has been discovered (article here, or Google ‘sp_replwriterovarbin‘, thanks to Chris Shaw for the initial heads-up on this) that is considered a lower threat because it requires authenticated access to the SQL Server in order to succeed. Microsoft considers this a pretty significant mitigating factor, but there are some key things you can do to protect your systems against this, and other, threats.

I found this great post about different things you can do – and it goes well beyond address just this most recent discovery. Check out the posting here.

The overall key comes down to a few very important things:

1. Never trust input to your system. Filter, use parameters, make sure you know what you’re processing before you try to process it.

2. Remove unneeded access points – from security to functional components on your system that you’re not using – make sure you’ve updated what you need and removed or disabled what you don’t.

3. Learn about tools at your disposal for debugging, tracing and generally tracking down the culprits that are attacking your system, if it comes to that. The very intriguing not in the article above that addresses this is the mention of the log files and long URLs. By playing to the IIS settings to not be able to log really long URLs, attackers keep you from learning what they do and how they do it. Set up IIS to prevent this if at all possible (see the article above).

Keep scanning headlines – We’ll keep an eye open here too, of course.

Featured White Paper(s)
Managed .NET Connectivity
Database connections are the lifeblood of enterprise applications, administrating the secure and steady flow of information b… (read more)

Best Practices for Monitoring Privileged Database Users
Whether its financial information, healthcare data, Personally Identifiable Information (PII), intellectual property or other… (read more)

Tags:
Author: Ben TaylorBen is a Relational Database veteran starting in the early eighties on DEC Vax database systems such as Bloom and Harvest. He has specialized in SQL engines for more than two decades, with a primary focus on Microsoft SQL Server. Ben has worked with small and large databases for both OLAP and OLTP working on systems for many industries such as Medical (Medical Claims and Eligibility Warehouse, HMO Provider Management, Enrollment), Financial (credit card processing, mortgage, stock portfolio management), Manufacturing (Assembly Line and Product Assemblies), Sales, Auto Auctions and more.