There was a flutter of headlines this week about a new vulnerability/risk with SQL Server 2012 and SQL Server 2014. The malware was reported to allow an attacker steal a “magic password”. Of course the headlines made this sound really bad and the image of thousands of DBAs rushing to patch SQL Server came to mind.
After reading over the many headlines;
It quickly became clear that this threat isn’t as big of a deal as the headlines made it out to be. While this does target SQL Server 2012 and SQL Server 2014, in order for the malware to work, the attacker must already be an administrator on the server. If an attacker has already gotten to this point, then things are already really bad for you.
It is reported that a cyber-espionage group out of China called the Winnti Group is responsible. As of now, there are no reports of this being used against an organization.
What should you be doing or how can you protect against this?
- Stay current, patch your servers, both OS and SQL Server
- Perform vulnerability scans to look for known issues “This is available in SSMS and Azure” and third party tools
- Audit your servers and environments for suspicious activities
Skip-2.0 is just a reminder to organizations to keep their eyes open. Everyone should be keeping up with patching and securing their environments. Since skip-2.0 can only target an already compromised server, the only thing DBAs can really do is ensure their systems are patched.