微軟在周一向所有的網絡管理員發出警告：一名安全研究員公布了一個微軟還未來得及修復的SQL數據庫上的漏洞。
攻擊者可以利用這個漏洞來侵入基于微軟產品來實現動態網頁的網站。這個漏洞存在于以下微軟產品中：SQL server 2000, SQL server 2005, SQL server 2005 express edition, SQL desktop engine, SQL server 2000 和 Windows內部數據庫。
這位名叫Bernhard Mueller的安全研究員來自“SEC漏洞實驗室”。他表示早在今年四月份就已告知微軟發現了這個漏洞。但微軟一直未能向他透露修復工作的進展情況，基于這個原因，他決定公開這個漏洞。
目前至少有一家安全公司已經把Mueller列入到他們的“頑皮的人”的列表中。
Shavlik Technologies的CTO Eric Schultze表示“這樣曝光漏洞是非常不負責任的。他應該通過合理的途徑向微軟報告。然而，這家伙沒有足夠的耐心，以至于在微軟發布補丁之前就公布了這個漏洞。這樣所謂的安全研究員為了提高自己的知名度，而不惜冒著使眾多服務器被黑和大眾的私人信息被泄露的風險”。
網絡犯罪已經逐步把目標指向正規的網站，利用這些網站來傳播惡意的代碼。在過去的兩周，有成千上萬的網站被黑客利用微軟剛剛打過補丁的IE漏洞入侵了。
微軟已經針對這個漏洞發布了臨時的解決辦法。此外，微軟最新的數據庫產品不受這個漏洞的威脅，這些產品包括：SQL server 7 SP4, SQL server 2005 SP3 和 SQL server 2008。
原文： Microsoft flaw may add to SQL-injection troubles
Published: 2008-12-23
Microsoft warned network and Web administrators on Monday that a security researcher had published an exploit for an unpatched flaw in the company's structured query language (SQL) database software.
The information could allow malicious attackers the ability to compromise Web sites that use Microsoft's software to serve up dynamic Web pages. The vulnerability affects older versions of the software, including Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database, the company said in an advisory.
The security researcher who discovered the issue and released the flaw, Bernhard Mueller of SEC Consult Vulnerability Lab, stated in an advisory that he had contacted Microsoft in April about the vulnerability but decided to release it after the company failed to update him on its progress in patching the issue.
At least one security firm put Mueller on its "naughty list."
"This is an example of irresponsible disclosure," Eric Schultze, chief technology officer of Shavlik Technologies, said in a statement sent to SecurityFocus. "The person that found (the) issue took the proper steps to report it to Microsoft, however, they grew impatient with Microsoft and decided to release exploit code before Microsoft announced a patch. This so-called security researcher has therefore placed thousands of servers and potentially (an) untold number of person’s privately identifiable information at risk for purposes of their own popularity.
Online criminals have increasingly targeted legitimate Web sites as a way to host and spread malicious code. In the past two weeks, thousands of Web sites have been hacked to host an attack taking advantage of a serious flaw in Internet Explorer that Microsoft only recently patched.
Microsoft has posted instructions on how to work around the issue. In addition, the company's latest versions of its database software — including Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 — are not affected by the vulnerability.

總結

以上是生活随笔為你收集整理的微软漏洞导致SQL注入威胁的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。