Sentrigo, a database security software company, has discovered a flaw in Microsoft SQL Server that allows any user with administrative privileges to read the unencrypted password of all other users. The passwords are exposed when Applications access the server using SQL Server authentication.
You might argue that once a hacker has gained administrative access to your servers you are in deep shit anyway.
But as you might also know most people use the same password everywhere so a hacker gaining access AND getting the passwords of everybody in your company might make matters a lot worse.
Adding insult to injury Microsoft has indicated that they do not intend to address the vulnerability at this time.
The kind people at Sentrigo have therefor released a free software utility to allow users to protect their systems. This after they warned Microsoft and asked for a fix and got a friendly reply information them they weren’t going to do anything.
If you are using mixed authentication mode (“SQL Server & Windows Authentication Mode”) you are vulnerable. SQL Server 2000, 2005, and 2008, running on all supported Windows platforms.