Just days after patching a critical flaw in its Internet Explorer browser, Microsoft is now warning users of a serious bug in its SQL Server database software.
Microsoft issued a security advisory late Monday, saying that the bug could be exploited to run unauthorized software on systems running versions of Microsoft SQL Server 2000 and SQL Server 2005.
Attack code that exploits the bug has been published, but Microsoft said that it has not yet seen this code used in online attacks. Database servers could be attacked using this flaw if the criminals somehow found a way to log onto the system, and Web applications that suffered from relatively common SQL injection bugs could be used as stepping stones to attack the back-end database, Microsoft said.
Desktop users running the Microsoft SQL Server 2000 Desktop Engine or SQL Server 2005 Express could be at risk in some circumstances, Microsoft said.
The bug lies in a stored procedure called “sp_replwritetovarbin,” which is used by Microsoft’s software when it replicates database transactions. It was publicly disclosed on December 9 by SEC Consult Vulnerability Lab, which said it had notified Microsoft of the issue in April.
“Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue,” Microsoft said in its advisory.
This is the third serious bug in Microsoft’s software to be disclosed in the past month, but it is unlikely to be used in widespread attacks, according to Marc Maiffret, director of professional services, with The DigiTrust Group, a security consulting firm. “It is rather low risk given other vulnerabilities that exist,” he said via instant message. “There are a lot of better ways to currently compromise windows systems.”
After seeing the Internet Explorer flaw used in a growing number of online attacks, Microsoft rushed out an emergency patch for the issue last Wednesday. The company says it has also seen “limited and targeted attacks” exploiting a serious bug in the WordPad Text Converter for Word 97 files. As with the SQL bug, this WordPad converter vulnerability has not been patched, but is a prime candidate to be fixed in Microsoft’s upcoming January 13 security updates.
Read the rest of this entry »
Posted in Microsoft, Security, Software | No Comments »
Google has taken the aggressive step of advising some of the people using its Gmail webmail to use Chrome or Firefox rather than Internet Explorer.
When users log into their Gmail using Internet Explorer a red text link appears at the top right of the page saying ‘get faster Google Mail.’
If you click on the link then you are taken through to a Google answers page that suggests that you should use a faster browser.
The suggestions it makes are Google’s own Chrome browser or Firefox 3.0.
We suggest you upgrade
“Browsers are getting faster and better at running web applications like Google Mail that use browser technology to its limits. In order to get the best Google Mail experience possible, we suggest that you upgrade your browser to one of the fastest Google Mail supported browsers that work on Windows,” reads the text.
There is a proviso that IE8 is being worked on ‘Note: A faster version of Internet Explorer, IE8, is in development and available in a beta release.’
Although not all users appear to be affected in our early investigation, at first glance it is a particularly aggressive approach from Google.
To actively push two browsers over the currently dominant Internet Explorer is far from the normal Google softly, softly approach – especially in a week where Internet Explorer has been beset by news of a major security problem.
It seems, however, that Google is only pushing users to the other browsers if they are currently using Internet Explorer 7. Those that are using Internet Explorer 6 are told to upgrade to either Chrome, Firefox or Internet Explorer 7 for a faster Google service.
Whether this is a silly overview on Google’s part or an active push away from Internet Explorer by the search kings remains to be seen.
What is for sure, is that Google is sending out mixed messages to its users, depending on what version of browser they are using.
Read the rest of this entry »
Posted in Google, Internet, Microsoft, Mozilla, Software | No Comments »
For perhaps the first time in its history, Microsoft made the case on Monday that businesses shouldn’t run its software. Instead, Microsoft argued that corporations should let it run the software for them.
During the past several years, Microsoft has been testing out the idea that it can host and run business software cheaper and more effectively than individual enterprises can do on their own. The effort started in 2005 with a single customer–battery maker Energizer–which had Microsoft essentially handle all of its PC desktops.
Over time, Microsoft narrowed the service to an option in which it hosts Exchange and SharePoint, runs the software in its data center, and charges customers on a monthly basis. Microsoft officially launched the products, known as Microsoft Online, at a customer event at the St. Regis hotel here.
“We can help you save money,” Microsoft Business Division President Stephen Elop told the crowd, saying Microsoft estimates that companies can save at least 10 percent by letting Microsoft run their messaging and collaboration software for them.
One of the early customers is video retailer BlockBuster, which has been using Exchange Online for about six months. Blockbuster CIO Keith Morrow said in an interview that Microsoft’s online services came at a good time for the company, which was on a several-generations-old version of Lotus Notes.
Morrow said the video rental company needed to make a change of some kind, and the option to move to Exchange without having to bring that skill set in-house was a key selling point, as was the ability to offer better mobile options, including Outlook Web Access and iPhone support.
Another Notes switcher in the crowd was Eddie Bauer, which has been a Microsoft Online customer for about five weeks. Chief Information Officer Rich Mozack said the clothing retailer wanted to move off Notes but couldn’t make the numbers work to run Exchange on its own.
“We just couldn’t justify the up-front investment,” Mozack said.
Microsoft’s Ron Markezich said about two-thirds of early customers are moving from Notes to Exchange. But even as Microsoft continues to target those moving from Lotus Notes, the company faces the threat of its own Exchange customers moving to other hosted options, including Google Apps.
Just last week, Serena Software said it was switching to Google from Exchange in a move it said would save it $750,000 a year, according to several reports.
At the event, Elop made Microsoft’s familiar case that, while the cloud is great, customers are better served by an option that allows software to run on customers’ own machines as well as over the Internet.
The software maker said last year that it would offer the hosted option for large businesses, later expanding the offer to businesses of all sizes. At last month’s Professional Developer Conference in Los Angeles, Microsoft also confirmed that it would offer Web-based versions of its Office applications, including Word, Excel, and PowerPoint.
While many of those at Monday’s event were the company’s early customers and partners, not everyone at the event was ready to sign off. I spoke with a municipality that was highly interested in Microsoft’s product, particularly as it plans to move from GroupWise to Exchange. Still, with a dearth of other governments to point to, this CIO told me that he still faced challenges in getting the city’s upper management and government to sign off on the deal.
Read the rest of this entry »
Posted in Internet, Microsoft, Software | No Comments »
