Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvuln

[Nick FitzGerald <nick () virus-l demon co uk>]

Russ asked:

> Does the stripped down version of SQL 7.0 that Tumbleweed implemented use
> the same authentication basis? Was the installation performed by
> "__nt__ () ANONYMOUS TO" botched by telling it to use normal SA authentication
> instead?

The first sentence on the Tumbleweed page announcing the patch says:

   There is a security flaw in MMS's handling of the 'sa' account
   password in MMS Releases 4.3, 4.5 and 4.6.

The patch instruction DOC downloadable from the same Tumbleweed page
starts:

   The MMS product includes MSDE, a subset of MSSQL 7.0.
   By default, the MMS installer leaves the SA password blank.

So, if you install the product as designed (and "intended") by its
developer, you end up vulnerable.


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854