Bonum Certa Men Certa

Microsoft SQL Server and DirectX Enable Full Machine Compromise

Network server
Microsoft still the weakest link in networked computing



Summary: Complete systems compromised, all caused by proprietary Microsoft software and APIs

YESTERDAY WE wrote about Windows compromising the national security of the United States. It is now confirmed that a Microsoft component is the culprit. It's not just Windows though; it's apparently Microsoft SQL Server, according to CNET.

Investigators believe an SQL injection attack was used to exploit a vulnerability in Microsoft's SQL Server database in order to gain access to the servers.


How can a database lead to full compromise? It's surely a design problem and we append at the bottom some references of interest, including the fairly recent news about head of Microsoft SQL Server quitting Microsoft.

As Oiaohm put it, "Does MySQL on Linux run as a root user? Not running as root lowers the damage [...] Has happened in the past with old Microsoft SQL worms. [...] We don't know how old [a] Microsoft SQL Server this was."

In CNET, we have also found this report about a DirectX hole which enables the entire system to be compromised. This is madness. How can a proprietary API achieve this? Is it truly as insecure-by-design as ActiveX? Many examples of ActiveX nightmares are accumulated here.

Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.


Marvelous. Why not just stick to open and free APIs like OpenGL? _______ [1] Database head to leave daily duties at Microsoft

Paul Flessner, who leads Microsoft's data storage and platform division, will step down from his daily duties after the new year.


[2] New attack technique threatens databases

A noted database security expert, Litchfield is perhaps best known for uncovering a bug in Microsoft SQL Server database server that was subsequently used by the SQL Slammer worm. Litchfield has long criticised Oracle for the time it takes to fix vulnerabilities in its database software. € 


[3] SQL Injection Attacks on IIS Web Servers

[4] Microsoft offers assistance to combat mass SQL injection

[5] Huge Web Hack Attack Infects 500,000 Pages

One anti-virus vendor said the sites might have been compromised through a "security issue" in Microsoft's Web server software that has been reported to Microsoft's engineers. € 


[6] Study Says Linux More Secure

More than 70 percent people surveyed said they found Red Hat Linux less vulnerable to security issues than Microsoft's operating system.


[7] Study: 70 percent say Red Hat more secure than Windows

[8] Microsoft officially 425 years behind the times

It's not just Excel and Exchange that ignore the Gregorian calendar. The Reg has also confirmed that SQL Server 2008, Windows Small Business Server, and Windows Mobile are ignorant as well. € 


[9] SQL Server 2005 SP1 won't work with Vista

It's no secret that a number of applications, including several of Microsoft?s own, are not going to work properly with Windows Vista when the product ships.


[10] SQL Server 2005 SP2 Critical Update Available

Microsoft is seeking to resolve a technical glitch caused by Service Pack 2. For some installations, cleanup tasks stop prematurely after applying the service pack.

The hotfix, which Microsoft has designated a "critical update," is available for existing SQL Server 2005 installations with Service Pack 2.


[11] Vista-compatible SQL Server 2005 SP2 likely February 19

Microsoft began warning users of SQL Server 2005 Vista incompatibilities last Fall.


[12] Vista flaw could haunt Microsoft

Microsoft wants a bigger piece of Oracle and IBM's database business, but an oversight in its new operating system could cost the company plenty.


Recent Techrights' Posts

New XBox Leaks Probably Serve to Confirm XBox's Collapse (Many More Layoffs)
It's very much consistent with what many other sites have reported lately
 
Qualcomm, the New Owner of Arduino, Blasted for Its Software Patents Tax on 'Smartphones'
A lot of Qualcomm's patents are on software. We wrote about this in prior years.
XBox Layoffs Rumours, Downtime, and Criticism From XBox Co-Founder
"everyone is ditching the xbox."
Links 10/10/2025: Honoring The Legacy Of Robert Murray-Smith, Many Articles on the Hey Hi (AI) Bubble
Links for the day
Gemini Links 09/10/2025: October Gothic and Reading Middle Earth Role Playing; C and Ada
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, October 09, 2025
IRC logs for Thursday, October 09, 2025
Links 09/10/2025: Farewell to Jane Goodall, California Bans Algorithmic Price-Fixing
Links for the day
Gemini Links 09/10/2025: Lost Wages and a Saga Of Continuing To Use Palm PDAs
Links for the day
Richard Stallman's Talk in Helsinki is Done. Tomorrow Göteborg.
There are scarce details in Finnish about Dr. Stallman's talk
The Slop Song
The train wreck marches on
LLM Slop/Advanced Plagiarism Flooding the Zone With Capital That Does Not Exist
Many publishers out there still participate in this bubble instead of calling it what it is
Links 09/10/2025: Sacked Microsoft Workers Make "Sackbird", IBM Taps CockroachDB for PostgreSQL
Links for the day
"Happy Hacking Day" Richard Stallman Talk This Afternoon (From 14:00 to 16:00) at Haaga-Helia University in Pasila
Richard Stallman in Helsinki, Finland
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, October 08, 2025
IRC logs for Wednesday, October 08, 2025
Links 09/10/2025: Impact of Microsoft Layoffs, More Data Breaches
Links for the day
Gemini Links 09/10/2025: Autumn Blues and C IRC Bot
Links for the day
Slopwatch Appreciated by Real Authors of GNU/Linux Articles
We do try to keep on top of those things
Upgraded R.R.R.R.R.R. Today
The Web of 2025 is full of garbage, not limited to slopfarms
Freedom From Proprietary Prisons
Forking always an option
IBM's Watson Died in 1956, Now Watson Dies Again
IBM is becoming just a reseller of GAFAM and other stuff
Slopwatch: LinuxSecurity, UbuntuPIT, and Google News
We've also just noticed more slop from UbuntuPIT
Microsoft Says That Constant Mass Layoffs Are Success, the Media Isn't Buying This Microsoft Narrative Anymore
If people in the media feel an obligation to repeat whatever lies Microsoft tells, what point will there be to the media?
Links 08/10/2025: "Mali Puts Free Speech on Trial" And Apple Enforces Dictatorship
Links for the day
Links 08/10/2025: ‘Death to Spotify’ and Law to Ban Loud Commercials on Streaming (Dis)Services
Links for the day
Links 08/10/2025: Real Innovation and Nina.chat is Dead
Links for the day
Links 08/10/2025: Y2K38 Bug is a Vulnerability, Chat Control in Europe a Threat
Links for the day
Microsoft Windows is No Longer an Operating System, It's Surveillance Project
Why is this even legal to preload on PCs outside the US?
How and Why Once-Legitimate Sites Turn Into Slopfarms
Many sites will go offline and many social control networks will shut down once they realise or even openly admit they spend money and time gardening a bunch of bots and slop
UbuntuPIT Became a Slopfarm and Gnoppix Tarnishes Its Own Brand With Slop
It fits all the characteristics of mildly-edited (if at all) slop
Slopwatch: Linux Journal and Other Slopfarms
GAFAM needs to go the way of the dodo
Gemini Links 08/10/2025: "Seek Seek Revolution" and Gradient Backgrounds
Links for the day
Qualcomm Arduino Takes Aim at Raspberry Pi
Qualcomm is a Microsoft partner
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, October 07, 2025
IRC logs for Tuesday, October 07, 2025
Stagnation of the Economy and What Free Software Can (or Could) Do For It
If your economic model is based on a pyramid of lies, it won't last very long
Social Control Media is Sinking
it would rightly seem like the era of centralised "social" sites (they're not social, they're about controlling the users) is ending, not overnight but gradually