Typically, when a vulnerability is found in a Microsoft product, you expect it to be patched as quickly as possible. However, a password exposure vulnerability that was found in SQL Server a year ago has yet to be patched, and in fact, Microsoft has no plans to patch the security problem.
A member of database security vendor Sentrigo’s Red Team, a group of security experts who focus on uncovering security problems in database applications, discovered that passwords were being kept unencrypted in memory for specific types of connections in SQL Server. Therefore, anyone with administrator rights can see not only the passwords of other SQL Server users but also the credentials used by applications that access the server with SQL Server authentication. Because most users use the same password for multiple applications, a rogue administrator or an attacker that hacked into the SQL Server system could potentially use these passwords to access more than just SQL Server applications. The vulnerability is found in SQL Server 2008, 2005, and 2000 systems that are running on Windows OSs and using mixed authentication mode.
"It’s security 101: Never have a clear text password anywhere," Sentrigo’s CTO Slavik Markovich told me. "Neither on the wire, or in the memory, or on disk, or anywhere else. With passwords you should usually just hash them in a one-way function, and that’s it, just keep the hash. The password would not be retrievable."
After discovering the vulnerability, Sentrigo’s researchers contacted Microsoft’s Research Center in September of 2008. However, Microsoft responded to the issue by saying that the problem didn’t look like a security issue because you need administrative privileges to exploit it. According to Markovich, Sentrigo was unable to convince Microsoft that this vulnerability was a significant security risk.
"Microsoft has thoroughly investigated claims of vulnerabilities in SQL Server and found that these are not product vulnerabilities requiring Microsoft to issue a security update,” said a Microsoft spokesperson. “As mentioned by the security researchers, in the scenario in question, an attacker would need administrative rights on the target system. An attacker who has administrative rights already has complete control of the system and can install programs; view, change, or delete data; or create new accounts with full user rights. Microsoft recommends that enterprise customers review and implement security measures as discussed in our security guidance and that all users follow our general guidelines to protect their PC."
Sentrigo has released a free tool called Passwordizer that addresses this security risk by erasing the unencrypted passwords. You can even set the tool up to remove passwords from memory automatically in the future. You can download Passwordizer from www.sentrigo.com/passwords.