Re: Microsoft destroys TPC-C records!

In article <8beh8c$2emo$1_at_adenine.netfront.net>, Norris <jcheong_at_cooper.com.hk> wrote:
> Yes, you could bash Microsoft for shipping a product with a serious
 bug in MS-SQLServer7.
>
> Without the patch, anyone can run a particular type of
> query using a particular form and gain sa rights, even if he or she
> connected to SQL Server as a regular user. What are the "particulars"
> for running the query? I'm not going to say because it would make life
> easier for a potential hacker. But be warned: If I know how to crack a
> SQL Server without this patch, other people know as well. Apply the
> patch now. (You can find FAQs about this vulnerability and the patch
 at
> http://www.microsoft.com/technet/security/bulletin/fq00-014.asp.)
>
> In comp.databases.sybase Jerome Lecomte <jlecomte_at_ifrance.com> wrote:
>
> > Nathan Myers page has a very interesting article
> > http://www.cantrip.org/nobugs.html. I personally don't agree with Mr
> > Myers conclusions. It shows to me that MS targets (at least used to
> > target) broad audiance with little expectations about how the
 software
> > should behave : with respects to bugs in particular. MS is cheaper,
> > but lower quality too. I don't know if they keep coping with this
> > strategy on databases. If yes, I don't know either how much desktop
 OS
> > users look like database users.
>
> --
> http://www.cooper.com.hk
>

The fix is in sp2 as well. Everything has it holes but this one was quite a surprise. It can be disabled without the fix.

Sent via Deja.com http://www.deja.com/
Before you buy. Received on Mon Mar 27 2000 - 00:00:00 CST