Microsoft Corp. today confirmed that it has been working on a critical vulnerability in SQL Server for more than eight months, but declined to say whether it has had a patch ready since September, as an Austrian security researcher has alleged.On Monday, the company warned customers of a bug that could be used to compromise servers running older versions of the database software, which is widely used to power Web sites and applications."Microsoft opened an investigation for this vulnerability in April upon the initial report by the security researcher," said a company spokesman in an e-mail today. "We immediately started an investigation and have been working on this issue since that time," he added.The researcher, Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company, went public with details of the vulnerability as well as an exploit code on Dec. 9, apparently after tiring of Microsoft's lack of communication.According to Mueller, who posted findings in an advisory on the SEC Consult site, as well as to prominent security mailing lists, the bug was reported to Microsoft on April 17, 2008, and Microsoft's last message to him was on Sept. 29. After four requests for an update on a patch's status during October and November, Mueller disclosed the vulnerability.Mueller also said that Microsoft had informed him in September that it had completed a fix.
Continue At Source