Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Public row developing between Sentrigo and Microsoft

The spat started developing last week when Sentrigo announced it had discovered a significant vulnerability in Microsoft SQL Server, that potentially allows any user with administrative privileges to openly see the unencrypted passwords of other users - or the credentials presented by applications accessing the server using SQL Server authentication.

At the time, Sentrigo said that, in order to ensure all SQL Server users are able to quickly protect their systems, it had released a free utility to erase these passwords, which can be downloaded starting today from the company's website.

Since Microsoft SQL Server saves its login passwords to memory in plain text, Sentrigo said they can be read by administrators.

The problem is made worse, according to Sentrigo, because IT users often use the same password for different computer systems.

Microsoft has confirmed the SQL Server security flaw, but has said in forum postings that an attacker must have administrator access to the system in order to be able to read from memory.

And if they have admin level privileges, Microsoft argued, the hacker has full system access. For this reason, the software giant said that the security issue is not a flaw.

Heise Online, the German IT newswire, noted that if an administrator's password has been stolen or cracked - perhaps via an SQL injection attack - then non-administrators may also be able to get hold of these passwords.

"In Sentrigo's opinion, for an administrator, be he good or bad, to be able to view passwords is anyway a contravention of standard security best practice", the newswire said.

"(Sentrigo) also notes that companies frequently have in place a role and privileges concept which forbids or prevents administrators from doing this. Most applications store passwords as hashes both on the hard drive and in memory."

 

What’s Hot on Infosecurity Magazine?