Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted Aug 16, 2002

New SQL Server Cumulative Security Patch Available

By Forrest Stroud


8.16.02.  Today Microsoft released a cumulative security patch for SQL Server 7.0 and 2000 that includes the functionality of all previously released patches as well as a patch for a new elevation of priviledge vulerability affecting SQL Server and MSDE. Microsoft has issued a moderate severity rating for the patch.

The new vulnerability exits due to a common flaw in some of the Microsoft-provided extended stored procedures that have the ability to reconnect to the database as the SQL Server service account. These procedures have weak permissions that can allow non-privileged users to execute them. Because these extended stored procedures can be made to run with administrator privileges on the database, it is thus possible for a non-privileged user to run stored procedures on the database with administrator privileges.

The vulnerability could make it possible for an attacker to load and execute a database query that calls one of the affected extended store procedures. Alternately, if a Web site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. Several mitigating factors for the vulnerability are addressed in the Security Bulletin.

The patch addresses the latest vulnerability by setting permissions on the extended stored procedures in questions such that only administrators can invoke them. The patch can be installed on systems running SQL Server 7.0 Service Pack 4 or SQL Server 2000 Service Pack 2, and the functionality included in the patch will be part of SQL Server 2000 Service Pack 3 when it's released.

Additional information on the SQL Server Security Patch (and download links) can be found at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp


» See All Articles by Editor Forrest Stroud




Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM