Honestly,

There will be those that raise the irresponsible disclosure flag when an exploit is posted before a solution (anytime), there is some merit in it, but also think about this, as commented before, would you rather know how to protect/defend your systems as soon as you could, even if it forces the hand of M$ a little or be clueless and in the dark, and probably getting 0wned by the bad-guy anyways if you didnt know. The root fo the issue, is basically if you aren't disabling or looking at the security of stored proceedures and whom can utilize them when you set up SQL in the first place, but no that be too easy?

There is fault on both sides, Fault on M$ for not prioritizing the problem ( although think about it with the last 2 Out of cycle patches which where 0 day during this 6 month period, probably dropped the priority of this patch a little on the get-it-fixed scale) and for the research for releasing exploit code and leaving systems for compromise, before the vendor could release a patch.

Zman

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/875/2755#2755