8.16.02. Today Microsoft released a cumulative security patch for SQL Server 7.0 and 2000 that includes the functionality of all previously released patches as well as a patch for a new elevation of priviledge vulerability affecting SQL Server and MSDE. Microsoft has issued a moderate severity rating for the patch.
The new vulnerability exits due to a common flaw in some of the Microsoft-provided extended stored procedures that have the ability to reconnect to the database as the SQL Server service account. These procedures have weak permissions that can allow non-privileged users to execute them. Because these extended stored procedures can be made to run with administrator privileges on the database, it is thus possible for a non-privileged user to run stored procedures on the database with administrator privileges.
The vulnerability could make it possible for an attacker to load and execute a database query that calls one of the affected extended store procedures. Alternately, if a Web site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters.
Several mitigating factors for the vulnerability are addressed in the Security Bulletin.
The patch addresses the latest vulnerability by setting permissions on the extended stored procedures in questions such that only administrators can invoke them. The patch can be installed on systems running SQL Server 7.0 Service Pack 4 or SQL Server 2000 Service Pack 2, and the functionality included in the patch will be part of SQL Server 2000 Service Pack 3 when it's released.
Additional information on the SQL Server Security Patch (and download links) can be found at:
See All Articles by Editor Forrest Stroud