Wednesday, September 2, 2009

Microsoft disputes password-stealing SQL Server bug

For more than a year, Microsoft has been sitting on a purported SQL Server vulnerability that could enable a malicious insider to obtain users' passwords, claims database security vendor Sentrigo.

The software giant, however, said that the issue is not a security flaw.

The potential bug, which Sentrigo notified Microsoft about last September, involves SQL Server keeping passwords unencrypted in its database memory, Slavik Markovich, CTO at Sentrigo, told SCMagazineUS.com on Tuesday. The issue affects SQL Server 2000, 2005 and 2008, running on Windows operating systems.

Markovich said he believes this is a security issue because it enables any individual with administrative privileges to access SQL Server's process memory and see all the usernames and passwords that are stored for anyone who accessed either the server itself or applications that connect to the server.

“It's something that is security 101, something you never do -- share or see other people's passwords,” he said.

Since people often reuse the same passwords for multiple enterprise systems and for their personal lives, a malicious insider could use the stolen SQL Server credentials to access other systems or a user's personal accounts.

“If someone can see your password, think about all the other systems they could access,” Markovich said.

But Microsoft said that it has “thoroughly investigated” the issue and found that no vulnerability exists, a Microsoft spokesperson told SCMagazineUS.com in an email Tuesday. The software giant has no intention of offering a security update for the issue.