Is SQL Server's latest security hole a real threat?

Why Microsoft should pay attention to the latest security threat


Sentrigo says this is an important issue, but Microsoft says it’s not. In my opinion, Sentrigo has the right idea, and Microsoft is putting blinders on. I’m not sure why it's so resistant to seeing the real issue, but even when I talked to Microsoft, the spokesperson seemed quite determined that the above was the company's final word.

Here’s why I think Sentrigo is right about this; it’s an issue of perspective. Consider these two scenarios.

Scenario No. 1 You’re the sys admin of a company and you have rights on all your SQL boxes. You also have an auditing solution in place to ensure that nobody, including yourself, does anything they’re not supposed to. And for some reason you get a wild hair to be nefarious. However, you have a pesky auditing solution keeping you honest.

Then you read Sentrigo’s story. You figure out how to read SQL’s memory, then obtain the username and password of the guy you’re mad at. You start doing your bidding in the database under his name.

Now he’s under the microscope because his login is responsible for all of the malicious things transpiring. He’s likely to get fired, though he didn’t do anything. This could go on forever before anyone figures it out. Though you’re a sys admin with wide-ranging rights, this is the very reason you shouldn’t be able to access someone else’s password.

Gaining permission to decrypt sensitive data is another part of this scenario. You could have a third-party encryption app in place that keeps the database administrators from seeing the data.

"Recommended For You"

Making a case for virtual patching 5 dysfunctional IT relationships - and how to repair them