Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

MS SQL

Posted Apr 22, 2002

New SQL Server 7.0/2000 Buffer Overrun Vulnerability Security Patch

By Forrest Stroud


Microsoft recently released a SQL Server 7.0/2000 security patch for a buffer overrun vulnerability in some SQL extended stored procedure functions. The "SQL Extended Procedure Functions Contain Unchecked Buffers" vulnerability exists due to a common flaw in several of the Microsoft-provided extended stored procedures, in which they fail to perform input validation correctly and are susceptible to buffer overruns as a result.

An attacker could exploit the vulnerability in one of two ways: 1) The attacker could attempt to load and execute a database query that calls one of the affected functions, or 2) If a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.

The patch eliminates the vulnerability by implementing proper checking on the affected extended stored procedures. Microsoft has issued a moderate severity rating for the patch. The SQL Server 7.0 patch can be installed on systems running SQL Server 7.0 Service Pack 3, and the SQL Server 2000 patch can be installed on systems running SQL Server 2000 Service Pack 2.

Additional information on the SQL Server Security Patch (and download links) can be found at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-020.asp


» See All Articles by Editor Forrest Stroud




MS SQL Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
MS SQL Forum
Topic By Replies Updated
SQL 2005: SSIS: Error using SQL Server credentials poverty 3 August 17th, 07:43 AM
Need help changing table contents nkawtg 1 August 17th, 03:02 AM
SQL Server Memory confifuration bhosalenarayan 2 August 14th, 05:33 AM
SQL Server Primary Key and a Unique Key katty.jonh 2 July 25th, 10:36 AM