Sentrigo has posted a fix for a Microsoft SQL Server vulnerability that reveals passwords to anyone with administrative privileges. The utility, called Passwordizer, is available here.
The vulnerability affects SQL Server 2000, 2005 and 2008, running on all supported Windows platforms that use mixed-authentication mode (SQL Server and Windows Authentication mode).
The danger lies in the fact that users employ the same password across multiple systems, making it possible for an attacker who gains the SQL Server password to access the other systems or to access personal accounts that use the same passwords, Sentrigo says.
The company's researchers discovered personal passwords unencrypted in SQL Server memory when they accessed the server using administrative privileges. The company says that best practices call for even legitimate administrators never to see actual passwords. Hackers who gain administrative access could find these passwords as well, Sentrigo says.
In addition to passwords, the flaw leaves credentials of applications in the clear. Sentrigo describes the vulnerability as significant.
Sentrigo says it has told Microsoft about the vulnerability.