Bonum Certa Men Certa

Microsoft SQL Server and DirectX Enable Full Machine Compromise

Network server
Microsoft still the weakest link in networked computing



Summary: Complete systems compromised, all caused by proprietary Microsoft software and APIs

YESTERDAY WE wrote about Windows compromising the national security of the United States. It is now confirmed that a Microsoft component is the culprit. It's not just Windows though; it's apparently Microsoft SQL Server, according to CNET.

Investigators believe an SQL injection attack was used to exploit a vulnerability in Microsoft's SQL Server database in order to gain access to the servers.


How can a database lead to full compromise? It's surely a design problem and we append at the bottom some references of interest, including the fairly recent news about head of Microsoft SQL Server quitting Microsoft.

As Oiaohm put it, "Does MySQL on Linux run as a root user? Not running as root lowers the damage [...] Has happened in the past with old Microsoft SQL worms. [...] We don't know how old [a] Microsoft SQL Server this was."

In CNET, we have also found this report about a DirectX hole which enables the entire system to be compromised. This is madness. How can a proprietary API achieve this? Is it truly as insecure-by-design as ActiveX? Many examples of ActiveX nightmares are accumulated here.

Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.


Marvelous. Why not just stick to open and free APIs like OpenGL? _______ [1] Database head to leave daily duties at Microsoft

Paul Flessner, who leads Microsoft's data storage and platform division, will step down from his daily duties after the new year.


[2] New attack technique threatens databases

A noted database security expert, Litchfield is perhaps best known for uncovering a bug in Microsoft SQL Server database server that was subsequently used by the SQL Slammer worm. Litchfield has long criticised Oracle for the time it takes to fix vulnerabilities in its database software. € 


[3] SQL Injection Attacks on IIS Web Servers

[4] Microsoft offers assistance to combat mass SQL injection

[5] Huge Web Hack Attack Infects 500,000 Pages

One anti-virus vendor said the sites might have been compromised through a "security issue" in Microsoft's Web server software that has been reported to Microsoft's engineers. € 


[6] Study Says Linux More Secure

More than 70 percent people surveyed said they found Red Hat Linux less vulnerable to security issues than Microsoft's operating system.


[7] Study: 70 percent say Red Hat more secure than Windows

[8] Microsoft officially 425 years behind the times

It's not just Excel and Exchange that ignore the Gregorian calendar. The Reg has also confirmed that SQL Server 2008, Windows Small Business Server, and Windows Mobile are ignorant as well. € 


[9] SQL Server 2005 SP1 won't work with Vista

It's no secret that a number of applications, including several of Microsoft?s own, are not going to work properly with Windows Vista when the product ships.


[10] SQL Server 2005 SP2 Critical Update Available

Microsoft is seeking to resolve a technical glitch caused by Service Pack 2. For some installations, cleanup tasks stop prematurely after applying the service pack.

The hotfix, which Microsoft has designated a "critical update," is available for existing SQL Server 2005 installations with Service Pack 2.


[11] Vista-compatible SQL Server 2005 SP2 likely February 19

Microsoft began warning users of SQL Server 2005 Vista incompatibilities last Fall.


[12] Vista flaw could haunt Microsoft

Microsoft wants a bigger piece of Oracle and IBM's database business, but an oversight in its new operating system could cost the company plenty.


Recent Techrights' Posts

A Week After a Worldwide Windows Outage Microsoft is 'Bricking' Windows All On Its Own, Cannot Blame Others Anymore
A look back at a week of lousy press coverage, Microsoft deceit, and lessons to be learned
 
Links 26/07/2024: Tesco Cutbacks and Fake Patent Courts
Links for the day
Links 26/07/2024: Grimy Residue of the 'AI' Bubble and Tensions Around Alaska
Links for the day
Gemini Links 26/07/2024: More Computers and Tilde Hosting
Links for the day
Links 26/07/2024: "AI" Hype Debunked and Elon Musk's "X" Already Spreads Political Disinformation
Links for the day
"Why you boss is insatiably horny for firing you and replacing you with software."
Ask McDonalds how this "AI" nonsense with IBM worked out for them
No Olympics
We really need to focus on real news
Nobody Holds the GNOME Foundation Accountable (Not Even IRS), It's Governed by Lawyers, Not Geeks, and Headed by a Shaman Crank
GNOME is a deeply oppressive institutions that eats its own
[Meme] The 'Modern' Web and 'Linux' Foundation Reinforcing Monopolies and Cementing centralisation
They don't care about the users and issuing a few bytes with random characters costs them next to nothing. It gives them control over billions of human beings.
'Boiling the Frog' or How Online Certificate Status Protocol (OCSP) is Being Abandoned at Short Notice by Let's Encrypt
This isn't a lack of foresight but planned obsolescence
When the LLM Bubble Implodes Completely Microsoft Will be 'Finished'
Excuses like, "it's not ready yet" or "we'll fix it" won't pass muster
"An escalator can never break: it can only become stairs"
The lesson of this story is, if you do evil things, bad things will come your way. So don't do evil things.
When Wikileaks Was Still Primarily a Wiki
less than 14 years ago the international media based its war journalism on what Wikileaks had published
The Free Software Foundation Speaks Out Against Microsoft
the problem is bigger than Microsoft and in the long run - seeing Microsoft's demise - we'll need to emphasise Software Freedom
IRC Proceedings: Thursday, July 25, 2024
IRC logs for Thursday, July 25, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Links 26/07/2024: E-mail on OpenBSD and Emacs Fun
Links for the day
Links 25/07/2024: Talks of Increased Pension Age and Biden Explains Dropping Out
Links for the day
Links 25/07/2024: Paul Watson, Kernel Bug, and Taskwarrior
Links for the day
[Meme] Microsoft's "Dinobabies" Not Amused
a slur that comes from Microsoft's friends at IBM
Flashback: Microsoft Enslaves Black People (Modern Slavery) for Profit, or Even for Losses (Still Sinking in Debt Due to LLMs' Failure)
"Paid Kenyan Workers Less Than $2 Per Hour"
From Lion to Lamb: Microsoft Fell From 100% to 13% in Somalia (Lowest Since 2017)
If even one media outlet told you in 2010 that Microsoft would fall from 100% (of Web requests) to about 1 in 8 Web requests, you'd probably struggle to believe it
Microsoft Windows Became Rare in Antarctica
Antarctica's Web stats still near 0% for Windows
Links 25/07/2024: YouTube's Financial Problem (Even After Mass Layoffs), Journalists Bemoan Bogus YouTube Takedown Demands
Links for the day
Gemini Now 70 Capsules Short of 4,000 and Let's Encrypt Sinks Below 100 (Capsules) as Self-Signed Leaps to 91%
The "gopher with encryption" protocol is getting more widely used and more independent from GAFAM
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 24, 2024
IRC logs for Wednesday, July 24, 2024
Techrights Statement on YouTube
YouTube is a dying platform
[Video] Julian Assange on the Right to Know
Publishing facts is spun as "espionage" by the US government and "treason" by the Russian government, to give two notable examples
Links 25/07/2024: Tesla's 45% Profit Drop, Humble Games Employees All Laid Off
Links for the day
Gemini Links 25/07/2024: Losing Grip and collapseOS
Links for the day
LWN (Earlier This Week) is GAFAM Openwashing Amplified
Such propaganda and openwashing make one wonder...
Open Source Initiative (OSI) Blog: Microsoft Operatives Promoting Proprietary Software for Microsoft
This is corruption
Libre-SOC Insiders Explain How Libre-SOC and Funding for Libre-SOC (From NLNet) Got 'Hijacked' or Seized
One worked alongside my colleagues and I in 2011
Why We're Revealing the Ugly Story of What Happened at Libre-SOC
Aside from the fact that some details are public already
Removing the Lid Off of 'Cancel Culture' (in Tech) and Shutting It Down by Illuminating the Tactics and Key Perpetrators
Corporate militants disguised as "good manners"
FSF, Which Pioneered GNU/Linux Development, Needs 32 More New Members in 2.5 Days
To meet the goal of a roughly month-long campaign
Lupa Statistics, Based on Crawling Geminispace, Will Soon Exceed Scope of 4,000 Capsules
Capsules or unique capsules or online capsules are in the thousands and growing
Links 24/07/2024: Many New Attacks on Journalists, "Private Companies Own The Law"
Links for the day
Gemini Links 24/07/2024: Face à Gaïa, Emacs Timers for Weekly Event, Chromebook Survives Water Torture
Links for the day
Why Virtually All the Wikileaks Copycats, Forks, and Rivals Basically Perished
Cryptome is like the "grandpa" of them all
A Total Lack of Transparency: Open and Free Technology Community (OFTC) Fails to Explain Why Over 60% of Users Are Gone (Since a Week Ago)
IRC giants have fallen
In the United Kingdom Google Search Rises to All-Time High, Microsoft Fell Nearly 1.5% Since the LLM Hype Began
Microsoft is going to need actual products or it will gradually vanish from the market
Trying to Put Out the Fire at Microsoft
Microsoft is drowning in debt while laying off loads of staff, hoping it can turn things around
GNU/Linux Growing at Vista 11's Expense
it's tempting to deduce many people who got PCs with Vista 11 preinstalled are deleting it, only to replace it with GNU/Linux
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, July 23, 2024
IRC logs for Tuesday, July 23, 2024