Microsoft as Issued a warning on a new Vulnerability for:
Microsoft Security Advisory (KB961040)
[ad#ad2-right]Vulnerability in SQL Server Could Allow Remote Code Execution
Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.
[Via Technet]
[ad#ad2-left]The workaround for the people who use the servers are to deny access to sp_replwritetovarbin and only should be done by system admins. Microsoft will probably issue a patch on the next coming next Patch Tuesday unless they hear of anything in the wild. This does not look to affect anyone who uses Windows XP Home edition or Vista Home edition just people who has a Microsoft server and use SQL. It also seem to be CVE-2008-4270 in the Common Vulnerabilities and Exposure database. If I find out more I’ll let you know.
