Anyone who can code a buffer overflow exploit will have no difficulties here. And, of course, when these programs reach the script kiddie community, then anyone who hasn't patched or firewalled themselves will be at considerable risk. This could be a target for the next big Internet worm. Should people drop what they are doing and patch this right away?
In an ideal world everyone would drop everything and apply this patch, but the reality of the situation is that this is just not feasible. Many organizations require a testing period before applying a patch to production systems - for fear it will break their applications. This is understandable, but I would urge security and database administrators not to linger with this one. In the interim I'd suggest that administrators set a rule on their firewall such that all packets bound for UDP port 1434 on the SQL Server be dropped - regardless of where the packet seemed to originate from and whatever its source port. How does this compare with past vulnerabilities in SQL Server?
This, to my knowledge, is the first unauthenticated vulnerability that allows an attacker to take complete control. Others SQL Server vulnerabilities require the attacker to be able to log on, in some fashion. This may either be done directly, or through SQL Injection via a Web-based application. Why is it so important to move quickly?
Here's why this is important. Let's say someone
This is a very high risk problem. It's the most severe issue SQL Server has seen. An attacker with no user ID or password can send a single UDP packet to the server and gain complete control. How would a user know if they have this vulnerability?
If they're running SQL Server 2000 and they haven't applied the patch, then they will be vulnerable. Although the Microsoft bulletin neglected to say so, MSDE2000 is also vulnerable to this issue. As MSDE2000 is installed with Visual Studio .NET, anyone who has this on their system may be vulnerable and not know it.