Second Zero Day Flaw Nails Microsoft In Two Weeks

For the second time in two weeks, Microsoft is rushing to fix a zero-day vulnerability. This time the flaw is in some versions of the software used to run corporate databases.Unlike the patch that recently was released for the zero-day vulnerability that surfaced on Patch Tuesday (12/9), there have been no confirmed attacks against this latest threat. Early reports indicate vulnerable applications include: Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine, and Windows Internal Database.

Fortunately, the latest versions -- the more recent Microsoft SQL Server 2008 and Microsoft SQL Server 7.0 Service Pack 4 of SQL -- aren't at risk to this attack.

A potential mitigating factor for this vulnerability is that whether the attacker is local or remote attacker, it must be authenticated to the target system.

Microsoft's advisory for the issue is available here.