Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted Oct 3, 2002

New SQL Server Cumulative Security Patch Available

By Forrest Stroud


10.03.02.  Microsoft today released a cumulative security patch for SQL Server 7.0 and 2000 that includes the functionality of all previously released patches as well as fixes for four newly discovered vulnerabilities affecting SQL Server and MSDE. Microsoft has issued a critical severity rating for the patch.

Briefly, the new vulnerabilities fixed by the patch are:

  • Unchecked Buffer in SQL Server 2000 Authentication Function - A buffer overrun in a section of code in SQL Server 2000 (and MSDE 2000) associated with user authentication that could allow an attacker to either cause the server to fail or gain the ability to overwrite memory on the server, thereby potentially running code on the server in the security context of the SQL Server service.

  • Unchecked buffer in Database Console Commands - A buffer overrun vulnerability that occurs in one of the Database Console Commands (DBCCs) that ship as part of SQL Server 7.0 and 2000. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server.

  • Flaw in Output File Handling for Scheduled Jobs - A vulnerability associated with scheduled jobs in SQL Server 7.0 and 2000, which in certain situations could allow an unprivileged user to submit a job that would create a file containing valid operating system commands in another user's Startup folder or simply overwrite system files in order to disrupt system operation.

  • Change in Operation of SQL Server - The patch also changes the operation of SQL Server to prevent non-administrative users from running ad hoc queries against non-SQL OLEDB data sources. Although the current operation does not represent a security vulnerability per se, the new operation makes it more difficult to misuse poorly coded data providers that might be installed on the server.
Several mitigating factors for the above vulnerabilities are addressed in the Security Bulletin. Additionally, specific details on how the patch eliminates the vulnerabilities can be found in the Frequently Asked Questions of the Security Bulletin.

The patch can be installed on systems running SQL Server 7.0 Service Pack 4 or SQL Server 2000 Service Pack 2, and the functionality included in the patch will be part of SQL Server 2000 Service Pack 4 when it's released.

Additional information on the SQL Server Security Patch (and download links) can be found at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-056.asp


» See All Articles by Editor Forrest Stroud




Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM


















Thanks for your registration, follow us on our social networks to keep up-to-date