For more than a year, Microsoft has been sitting on a purported SQL Server vulnerability that could enable a malicious insider to obtain users' passwords, claims database security vendor Sentrigo.
The software giant, however, said that the issue is not a security flaw.
The potential bug, which Sentrigo notified Microsoft about last September, involves SQL Server keeping passwords unencrypted in its database memory, Sentrigo CTO Slavik Markovich told SCMagazineUS.com. The issue affects SQL Server 2000, 2005 and 2008, running on Windows operating systems.
Markovich said he believes this is a security issue because it enables any individual with administrative privileges to access SQL Server's process memory and see all the usernames and passwords that are stored for anyone who accessed either the server itself or applications that connect to the server.
“It's something that is security 101, something you never do -- share or see other people's passwords,” he said.
Since people often reuse the same passwords for multiple enterprise systems and for their personal lives, a malicious insider could use the stolen SQL Server credentials to access other systems or a user's personal accounts.
“If someone can see your password, think about all the other systems they could access,” Markovich said.
But Microsoft said that it has “thoroughly investigated” the issue and found that no vulnerability exists, a Microsoft spokesperson told SCMagazineUS.com in an email. The software giant has no intention of offering a security update for the issue.
“As mentioned by the security researchers, in the scenario in question, an attacker would need administrative rights on the target system,” Microsoft said. “An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights.”
But Markovich contends that the issue could also be exploited by an outside attacker to escalate the damage of an SQL injection attack. If an attacker launched such an attack and obtained an administrator's password, they could be used to access SQL Server and potentially get the passwords to other systems.
Sentrigo issued a free tool this week to erase stored passwords in SQL Server. Microsoft recommended end-users review its security guidance and guidelines literature.
See original article on scmagazineus.com
Microsoft disputes password-stealing SQL Server bug
No need for an update, says Microsoft.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Partner Content
AI Supercharged: How Search is Powering the Future
Partner Content
Australian organisations must act on security – or risk AI ambitions falling flat
Promoted Content
AI in cybersecurity: weapon or shield?
Partner Content
What Embracing the AI Platform Shift Really Means
Sponsored Whitepapers
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
.png&w=120&c=1&s=0)
EDUtech AU
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
