Microsoft confirms SQL Server bug

Microsoft has confirmed that it has been working to fix a critical vulnerability in SQL Server since April, as alleged by SEC Consult, the organization that uncovered the bug.  We first reported about this issue in our Security News Roundup two weeks ago, just before the issue hit the mainstream press due to the highly critical nature of this vulnerability.

A successful attacker will be able to remotely control the database and the underlying server, which will result in a leakage of confidential data and disruptions in critical MS SQL driven applications, which exist mainly in the enterprise space.  As such, database administrators are urged to immediately review available work-around solutions and implement them as soon as possible, in spite of the holiday season.

“We expect that Microsoft is currently working on a patch and will release it out of band,” said Wolfgang Kandek, CTO of Qualys, underlining the severely of the problem.  However, patch deployment is likely to be slower than the recent Internet Explorer vulnerability.  Kandek explains that the reason is because Microsoft SQL Server is part of the core server infrastructure of many enterprise companies.  As such, “[SQL Server] is subject to lengthy patch and testing cycles and before any such fix can be deployed.”

Check Point acquires Nokia’s security business

Check Point has agreed to acquire Nokia’s security appliance business.  Financial details were not disclosed, though Check Point did reveal that the acquisition will add some US$100 million to the company’s revenues in 2009, and that the transaction terms will be in cash.  The two companies have been working together for over a decade, with more than 220,000 Nokia appliances installed with over 23,000 customers worldwide.

There is no mention of how staff from the new division will fit together into Check Point’s organizational structure, though Chief Executive Officer Gil Shwed was reported as saying at a press conference, “I hope that we will also find a way to integrate most of the Nokia workforce into the company.”

The reason behind this Nokia selling its security appliance business is not known; though judging by recent belt-tightening measures at Nokia, this could well be part of overall restructuring designed to improve its group returns.

Keyloggers used to harvest banking credentials

A team of researchers have published a case study that focuses on keyloggers and their use to harvest banking-related user names and passwords.  Using honeynets, the team observed over 70 different data-stealing malware and found over 33 GB of log files in “dropzones.”

Excerpt from heise Security UK:

The log files contained personal information on more than 170,000 victims, including passwords, PINs, user names, and so on. They also contained information, including PINs, on over 10,000 bank accounts, over 140,000 email passwords and the access details of nearly 80,000 members of social networking sites such as Facebook and Hi5.

Of course, the use of two -actor authentication such as by some UK banks would have rendered a lot of these data useless.  Places such as Singapore have also mandated all banks to offer two-factor authentication for on-line banking.  Of course, a common habit of most people using the same passwords for various accounts will probably not help.

The data has since been handed to Australian CERT, which will pass the information on to the relevant banks and institutions so as to inform the victims and remedy the situation.  You can read the full report titled, “Learning more about the Underground Economy: A case-study of Keyloggers and Dropzones.” (pdf)

Any comments or feedback on the security news roundup this week?