Kandek believes that a SQL Server patch will present more problems for companies than they faced with the IE fix. "Patch deployment will be slow," he said. "SQL [Server] is part of the core server infrastructure of many enterprise companies and is subject to lengthy patch and testing cycles before any such fix can be deployed."

In lieu of a patch, Microsoft has urged users to deny permissions to the SQL procedure that can be used to trigger the bug. Yesterday, it updated that recommendation by posting a Visual Basic script which, when run, automates the workaround. "Essentially, the script iterates through the running instances of SQL Server and denies execute permissions on 'sp_replwritetovarbin' to 'public' on all the affected versions," said Microsoft spokesman in an entry to the blog.

A document added yesterday to Microsoft's support database and instructions on how to use it.

Qualys' Kandek urged users to heed Microsoft's warnings.

"The potential exists for leakage of private data and major disruptions in critical SQL [Server-] driven applications, such as e-commerce and human resources," he said. "A smart attacker can easily pair this exploit with another attack mechanism such as phishing to get behind the corporate firewalls and then attack all accessible SQL Server installations."