Microsoft warned network and Web administrators on Monday that a security researcher had published an exploit for an unpatched flaw in the company's structured query language (SQL) database software.


The information could allow malicious attackers the ability to compromise Web sites that use Microsoft's software to serve up dynamic Web pages. The vulnerability affects older versions of the software, including Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database, the company said in an advisory.

The security researcher who discovered the issue and released the flaw, Bernhard Mueller of SEC Consult Vulnerability Lab, stated in an advisory that he had contacted Microsoft in April about the vulnerability but decided to release it after the company failed to update him on its progress in patching the issue.

At least one security firm put Mueller on its "naughty list."

"This is an example of irresponsible disclosure," Eric Schultze, chief technology officer of Shavlik Technologies, said in a statement sent to SecurityFocus. "The person that found (the) issue took the proper steps to report it to Microsoft, however, they grew impatient with Microsoft and decided to release exploit code before Microsoft announced a patch. This so-called security researcher has therefore placed thousands of servers and potentially (an) untold number of person’s privately identifiable information at risk for purposes of their own popularity.

Online criminals have increasingly targeted legitimate Web sites as a way to host and spread malicious code. In the past two weeks, thousands of Web sites have been hacked to host an attack taking advantage of a serious flaw in Internet Explorer that Microsoft only recently patched.

Microsoft has posted instructions on how to work around the issue. In addition, the company's latest versions of its database software — including Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 — are not affected by the vulnerability.

UPDATE: Bernhard Mueller could not be reached prior to this article's publication, but provided the following comment after publication:

SEC Consult has a written responsible disclosure policy that is based on the Internet-Draft "Responsible Vulnerability Disclosure Process" by Steve Christey and Chris Wysopal. (The e-mail quotes the relevant section of the policy that provides for 30-day notice with extensions before public disclosure.)

Now, we of course know that Microsoft can't possibly create, test and release a patch for a serious security vulnerability in SQL Server within 30 days. That said, we at least need to know what is going on at Microsoft and if/when a patch is going to be released. In this specific case, we wrote four e-mails within three months trying to get an status update, including one e-mail in which we announced the release date of our public security advisory. None of these mails were answered. Consequently, we released the security advisory according to our disclosure policy (I will not discuss the pros and cons of public vulnerability disclosure here). We did not include a working exploit in our security advisory (although we sent it to Microsoft).

Please also note that nearly all of our security advisories are coordinated with the respective vendors, including past coordinated releases with Microsoft. Vendors always get ample time to prepare a patch and opportunities to postpone the public advisory (in this case, a simple e-mail would have sufficed).

If you have tips or insights on this topic, please contact SecurityFocus.