Wednesday, September 2, 2009

Microsoft disputes password-stealing SQL Server bug

For more than a year, Microsoft has been sitting on a purported SQL Server vulnerability that could enable a malicious insider to obtain users' passwords, claims database security vendor Sentrigo.

The software giant, however, said that the issue is not a security flaw.

The potential bug, which Sentrigo notified Microsoft about last September, involves SQL Server keeping passwords unencrypted in its database memory, Slavik Markovich, CTO at Sentrigo, told SCMagazineUS.com on Tuesday. The issue affects SQL Server 2000, 2005 and 2008, running on Windows operating systems.

Markovich said he believes this is a security issue because it enables any individual with administrative privileges to access SQL Server's process memory and see all the usernames and passwords that are stored for anyone who accessed either the server itself or applications that connect to the server.

“It's something that is security 101, something you never do -- share or see other people's passwords,” he said.

Since people often reuse the same passwords for multiple enterprise systems and for their personal lives, a malicious insider could use the stolen SQL Server credentials to access other systems or a user's personal accounts.

“If someone can see your password, think about all the other systems they could access,” Markovich said.

But Microsoft said that it has “thoroughly investigated” the issue and found that no vulnerability exists, a Microsoft spokesperson told SCMagazineUS.com in an email Tuesday. The software giant has no intention of offering a security update for the issue.

Tuesday, July 14, 2009

SQL Sentry Announces Performance Optimization Software for SQL Server Analysis Services

the developer of award-winning software for Microsoft SQL Server, announced today the availability of monitoring and optimization software for Microsoft SQL Server Analysis Services. SQL Sentry Performance Advisor for Analysis Services provides unparalleled insight into Analysis Services performance, including bottlenecks related to memory and storage systems, aggregation usage, unoptimized queries, and query and processing tasks competing for the same resources.


"Building on the success of Performance Advisor for SQL Server, we are proud to bring exciting new capabilities to the market for managing Analysis Services," said Greg Gonzalez, President and CEO of SQL Sentry. "And when combined with SQL Sentry Performance Advisor for SQL Server and Event Manager, we are providing the only solution in the market covering Microsoft's entire BI platform, including the relational data warehouse (SQL Server), Analysis Services (SSAS), Integration Services (SSIS), and Reporting Services (SSRS)."


"Performance Advisor for Analysis Services is truly a game changer. This is the first software that brings all of the pertinent information together in a clear and concise fashion, providing a level of insight into Analysis Services performance that before now just hasn't been possible," said John Welch, SQL Server MVP, Chief Architect, Mariner.


Performance Advisor for Analysis Services is packed with many groundbreaking features, all designed to simplify the process of optimizing Analysis Services performance. Key Features include:


Powerful SSAS Performance Dashboard

Innovative Workload and Bottleneck Profiling

Capture of all High Impact MDX, XMLA and DMX Commands

Alerting and Response for SSAS Commands and Runtime Deviations

SSAS Cache and Storage System Monitoring

Calendar Views Combining SSAS, SQL Server, SSIS, and SSRS Events

Monitoring and Alerting for SSIS Data Warehousing Jobs and SSRS Reports Pricing and Availability

Saturday, May 23, 2009

Zoho Attempts to Bridge the Cloud and SQL

Everyone knows that the most important thing is the data itself and not the storage or access of it through applications. We don't need Zoho to tell us that. We also know that more and more we are using other storage formats for our data than relational databases -- take XML repositories for instance -- and that we are using other methods to retrieve our data other than SQL.

But what Zoho says we don't know, or don't realize, is that we can use the SQL query language to access our data even when it's not stored within a traditional relational database. At least we can now using Zoho's newest technology CloudSQL.

Friday, April 10, 2009

Server 2008 Service Pack 1 arrives


Microsoft today released Service Pack 1 for all seven editions of SQL Server 2008, its relational database management system that uses Transact-SQL as its primary query language. The update is available in 32-bit, 64-bit, and ia64 flavors from the Microsoft Download Center. SP1 is primarily a roll-up of previous cumulative updates and while there are no new features, Microsoft did highlight the following three improvements:

Slipstream allows administrators to install SQL Server 2008 and Service Pack 1 in a single instance. This decreases the total time for an installation, including a fewer number of reboots, thereby increasing productivity and deployment availability
Service Pack Uninstall allows administrators to uninstall the service pack separately from the database release. This feature also improves DBA productivity, reduces the cost of deployment and improves overall supportability
Report Builder 2.0 Click Once improves the existing SQL Server end-user report authoring application by easing deployment to business users
Microsoft also took the opportunity to note that there have been "over three million downloads" of SQL Server 2008 to date. SQL Server 2008 hit the RTM milestone in August 2008. The CTP of SP1 was released in February.

Sunday, March 15, 2009

DiscountASP.NET Adds SQL 2008 Backup API

ASP.NET hosting and SQL hosting provider DiscountASP.NET (www.discountasp.net) has expanded its Open Control Panel API with the addition of APIs for SQL 2008 Database backup as part of DiscountASP.NET's Open Control Panel Initiative, designed to offer an open hosting system framework that provides maximum control.

According to DiscountASP.NET's Wednesday announcement, customers can access the API library through their control panel and are assigned a unique Authentication Key. Also, a Sandbox Key is provided so that customers can test their applications without the risk of making changes to their hosting account.

In 2006, DiscountASP.NET unveiled the first phase of its Open Control Panel Initiative by introducing an ASP.NET web service API library that customers can use to develop their own web, desktop or mobile applications that interface directly with their web hosting account. This exposed a number of methods to retrieve resource usage information, and manage some IIS functions, such as recycling their application pool. Today, DiscountASP.NET has found more methods for customers to backup their SQL 2008 databases.

"Our control panel API is a move to provide our customers with a next-generation hosting experience." marketing vice president Takeshi Eto said in a statement. "Our vision for the Open Control Panel Initiative is to offer our customers the flexibility and freedom of choice. They can manage their hosting presence using our hosted control panel application or through web services and customized user-driven solutions."

DiscountASP.NET has undergone many improvements in the past few months, increasing options for customers looking for advanced ASP.NET and SQL functionality.

At Microsoft's (www.microsoft.com) Professional Developers Conference in October 2008, DiscountASP.NET announced it had teamed with the software heavy weight to offer a free beta sandbox hosting environment for the Web Deployment Tool, Microsoft's deployment, management and migration tool for web apps, sites and servers.

http://www.thewhir.com/web-hosting-news/103108_DiscountASP.NET_Offers_IIS_Tool_Beta

More recently, in January, DiscountASP.NET partnered with web-based applications provider myLittleTools (www.mylittletools.com) to add myLittleAdmin to DiscountASP.NET's feature set, giving customers free access to the web-based SQL management tool.

Monday, January 19, 2009

SQL DeCryptor 2.2 (Windows)

SQL Decryptor is developed by Imperia Software, to decrypt views, user defined functions and stored procedures in an easy-to-use graphical interface. It works quickly to decrypt items in Microsoft SQL Server 6.5, 7.0, 2000, 2005, 2008 and MSDE. SQL Decryptor allows for easy viewing of encrypted code, of any size.Version 2.2 with best search performance.

Sunday, December 28, 2008

Microsoft confirms it's been working on SQL Server bug since April

Microsoft Corp. today confirmed that it has been working on a critical vulnerability in SQL Server for more than eight months, but declined to say whether it has had a patch ready since September, as an Austrian security researcher has alleged.

On Monday, the company warned customers of a bug that could be used to compromise servers running older versions of the database software, which is widely used to power Web sites and applications.

"Microsoft opened an investigation for this vulnerability in April upon the initial report by the security researcher," said a company spokesman in an e-mail today. "We immediately started an investigation and have been working on this issue since that time," he added.

The researcher, Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company, went public with details of the vulnerability as well as an exploit code on Dec. 9, apparently after tiring of Microsoft's lack of communication.

According to Mueller, who posted findings in an advisory on the SEC Consult site, as well as to prominent security mailing lists, the bug was reported to Microsoft on April 17, 2008, and Microsoft's last message to him was on Sept. 29. After four requests for an update on a patch's status during October and November, Mueller disclosed the vulnerability.

Mueller also said that Microsoft had informed him in September that it had completed a fix.

The Microsoft spokesman didn't directly respond to a question about whether the company had a patch in hand, as Mueller claimed, but instead said, "At this time, security updates are not available for the affected versions listed in Microsoft Security Advisory 961040."

Although it is true that Microsoft has not yet issued an update to the affected software -- which includes SQL Server 2000, SQL Server 2005, SQL Server 2005 Express Edition, SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database -- one security expert said he's betting that the company will release one soon.