Last week saw the release of a number of security patches from Microsoft. It seemed that every few minutes on Tuesday I was getting another patch notification from Secunia, and there was a lot of data entry to load those into the Database Weekly newsletter. None of these patches were for SQL Server specifically, but they did address a number of Microsoft technologies that might impact a SQL Server installation, like .NET and Excel, and one that was for the XML editor and should be applied to SQL Server 2005 and above . The full list from Technet is available in the June Security Bulletin.
That's kind of cool since SQL Server 2008 shows only this vulnerability for 2011, none in 2010, none in 2009, and none in 2008. Despite a number of patches for various subsystems and bugs in SQL Server 2008, there haven't been any security issues, which speaks to strong engineering effort taking place in Redmond. Make sure you give the developers some kudos when you run into any of them.
Just last week I was also reading a note about a court decision involving a bank and their security. The decision has some good implications for data professionals in that it doesn't appear to require the "best" security for a vendor offering a service, but it does mean that we need to be vigilent ourselves.
The company that lost money and sued the bank had a trojan or malware of some sort on their computers, which apparently was used to gain the user credentials. While many IT people tend to be more aware and diligent in patching their systems, business people often aren't. So while you might be happy that your SQL Server is patched, are your clients? Do you have any of those people that use Excel heavily and are prone to clicking on unknown links?
As much as I wish the state of computer security were better, and we could trust more people, we can't. Hackers are here to stay, and not just for profit. Some of them might attack you just for fun.
Steve Jones