Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted Jul 11, 2002

New SQL Server 2000 Cumulative Security Patch Available

By Forrest Stroud


Microsoft recently released a cumulative security patch for SQL Server 2000 that includes the functionality of all previously released patches for SQL Server 2000 and additionally eliminates three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000. The vulnerabilities are:

  • Unchecked Buffer in Password Encryption Procedure - A buffer overrun vulnerability in a procedure used to encrypt SQL Server credential information. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself depending on the account SQL Server runs as.

  • Unchecked Buffer in Bulk Insert Procedure - A buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself.

  • Unchecked Buffer in Password Encryption Procedure - A privilege elevation vulnerability that results because of incorrect permissions on the Registry key that stores the SQL Server service account information. An attacker who was able to successfully exploit this vulnerability could gain greater privileges on the system than had been granted by the system administrator -- potentially even the same rights as the operating system.

The patch eliminates these vulnerabilities by 1) ensuring that the input buffer in the password encryption function is properly validated, 2) implementing proper checking of the input buffer in the bulk inserting procedure, and 3) changing the permissions on the Registry key to ensure that the SQL Server cannot change this setting.

Microsoft has issued a moderate severity rating for the patch. The patch can be installed on systems running SQL Server 2000 Service Pack 2, and the functionality included in the patch will be part of SQL Server 2000 Service Pack 3 when it's released. These vulnerabilities do not exist on SQL Server 7.0.

Additional information on the SQL Server Security Patch (and download links) can be found at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-034.asp


» See All Articles by Editor Forrest Stroud




Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM