Bonum Certa Men Certa

Microsoft SQL Server and DirectX Enable Full Machine Compromise

Network server
Microsoft still the weakest link in networked computing



Summary: Complete systems compromised, all caused by proprietary Microsoft software and APIs

YESTERDAY WE wrote about Windows compromising the national security of the United States. It is now confirmed that a Microsoft component is the culprit. It's not just Windows though; it's apparently Microsoft SQL Server, according to CNET.

Investigators believe an SQL injection attack was used to exploit a vulnerability in Microsoft's SQL Server database in order to gain access to the servers.


How can a database lead to full compromise? It's surely a design problem and we append at the bottom some references of interest, including the fairly recent news about head of Microsoft SQL Server quitting Microsoft.

As Oiaohm put it, "Does MySQL on Linux run as a root user? Not running as root lowers the damage [...] Has happened in the past with old Microsoft SQL worms. [...] We don't know how old [a] Microsoft SQL Server this was."

In CNET, we have also found this report about a DirectX hole which enables the entire system to be compromised. This is madness. How can a proprietary API achieve this? Is it truly as insecure-by-design as ActiveX? Many examples of ActiveX nightmares are accumulated here.

Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.


Marvelous. Why not just stick to open and free APIs like OpenGL? _______ [1] Database head to leave daily duties at Microsoft

Paul Flessner, who leads Microsoft's data storage and platform division, will step down from his daily duties after the new year.


[2] New attack technique threatens databases

A noted database security expert, Litchfield is perhaps best known for uncovering a bug in Microsoft SQL Server database server that was subsequently used by the SQL Slammer worm. Litchfield has long criticised Oracle for the time it takes to fix vulnerabilities in its database software. € 


[3] SQL Injection Attacks on IIS Web Servers

[4] Microsoft offers assistance to combat mass SQL injection

[5] Huge Web Hack Attack Infects 500,000 Pages

One anti-virus vendor said the sites might have been compromised through a "security issue" in Microsoft's Web server software that has been reported to Microsoft's engineers. € 


[6] Study Says Linux More Secure

More than 70 percent people surveyed said they found Red Hat Linux less vulnerable to security issues than Microsoft's operating system.


[7] Study: 70 percent say Red Hat more secure than Windows

[8] Microsoft officially 425 years behind the times

It's not just Excel and Exchange that ignore the Gregorian calendar. The Reg has also confirmed that SQL Server 2008, Windows Small Business Server, and Windows Mobile are ignorant as well. € 


[9] SQL Server 2005 SP1 won't work with Vista

It's no secret that a number of applications, including several of Microsoft?s own, are not going to work properly with Windows Vista when the product ships.


[10] SQL Server 2005 SP2 Critical Update Available

Microsoft is seeking to resolve a technical glitch caused by Service Pack 2. For some installations, cleanup tasks stop prematurely after applying the service pack.

The hotfix, which Microsoft has designated a "critical update," is available for existing SQL Server 2005 installations with Service Pack 2.


[11] Vista-compatible SQL Server 2005 SP2 likely February 19

Microsoft began warning users of SQL Server 2005 Vista incompatibilities last Fall.


[12] Vista flaw could haunt Microsoft

Microsoft wants a bigger piece of Oracle and IBM's database business, but an oversight in its new operating system could cost the company plenty.


Recent Techrights' Posts

There Are Days or Occasions Where gemini:// Requests Almost Exceed http(s):// and Gemini Protocol Isn't Even 6 Yet
Gemini Protocol turns 6 one month from now
 
TheLayoff.com Has Begun Deleting Trolls/AstroTurfers Infesting the IBM Section to Discourage On-Topic Discussion About Culls and Maladministration (Bad Strategy)
Moderators have realised there's a problem
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, May 18, 2025
IRC logs for Sunday, May 18, 2025
Gemini Links 18/05/2025: Five Years on Gemini and Atom Feeds over Gopher
Links for the day
Links 18/05/2025: F.D.A. More Sceptical of COVID-19 Vaccines, UK Charges 3 Iranian Nationals In Alleged Attack Plot Against Journalists
Links for the day
Gemini Links 18/05/2025: "Finally Upgraded" and "Rebooting"
Links for the day
Abundance of Good Code, "Just Like Air."
Richard Stallman's seminal manifesto and foundational (practical) work on GNU gave us a very solid system that facilitates productive work without concerns over spyware
Messages in TheLayoff.com Drowned Out by LLM Slop (Comments Focused on Replying to Bot-Generated Provocation)
apparently shaking hands with nazis isn't as bad as calling your git repository's main branch "master"
The Importance of Full Disclosure and Transparency Online
there will be full transparency, as always
Slopwatch: Slopfarms and Serial Sloppers Still at It
Apparently Google is too understaffed to figure that out
Links 18/05/2025: Decreased Prospects of Science Careers, Disappearance of Journalists
Links for the day
Microsofters Have a Long History Trying to Take Down Techrights by Sending Threats to Webhosts
picking on women
Links 18/05/2025: Science, Censorship and European Commission Taking on Monopoly Abuse by Microsoft
Links for the day
Gemini Links 18/05/2025: Šibenik and SFJAZZ Historical Archive
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, May 17, 2025
IRC logs for Saturday, May 17, 2025
Links 17/05/2025: Microsoft Kills "Surface Laptop Studio" (More Canceled Products/Units), Groups Caution About Harms of Social Control Media
Links for the day
Gemini Links 17/05/2025: Sympathy Algorithm and SSH on Alternative Ports
Links for the day
Inviting the Founder of GNU/Linux to Events (It Only Costs His Travel Expenses) and Recalling the True Origins
It's reassuring to see belated recognition
Slopwatch: Microsoft's Anti-Linux Propaganda and Cover-up, Slopfarms Clogging Up Google News
slop-tracking activities that observe googlebombing of "Linux"
AstroTurfing by IBM in thelayoff.com is Highly Risky (and Likely Outsourced)
Microsoft did this in Reddit (and got caught), so why won't IBM too?
Links 17/05/2025: Stabber of Salman Rushdie Sentenced to 25 Years in Prison
Links for the day
The Microsofters Have Just Shared Privileged Trial Data With Microsoft
There are serious ramifications for liability accountability as Microsoft salaries sponsor these SLAPPs
Trolls With LLM Slop Are Disrupting Communications About Mass Layoffs at IBM
LLM slop to drown out the signal
Gemini Links 17/05/2025: Happier on Gemini and Manipulating Reddit
Links for the day
ComEd and Microsoft: A Mess of Spaghetti Held Together By Circus Clowns
Reprinted with permission from Ryan Farmer
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, May 16, 2025
IRC logs for Friday, May 16, 2025