http://www.databasejournal.com/news/article.php/1483231/New-Elevation-of-Privileges-SQL-Server-Security-Patch-Available.htm

Back to article

New Elevation of Privileges SQL Server Security Patch Available

October 17, 2002


10.16.02.  Microsoft late tonight released a new security patch for SQL Server 7.0 and 2000. Microsoft has issued a critical severity rating for the "Elevation of Privilege in SQL Server web Tasks" cumulative patch.

The new security threat is an elevation of privilege vulnerability that occurs in a Microsoft-provided stored procedure, one extended stored procedure and weak permissions on a table. The vulnerability makes it possible for an attacker to execute a SQL Server stored procedure that could run web tasks. Since anyone who could authenticate to the SQL Server could run this stored procedure, it is possible for an attacker to run previously stored web tasks in the context of the person who created them, thereby potentially elevating his or her privileges.

Mitigating factors for the newly discovered vulnerability include:

  • It is necessary to be an authenticated user of the SQL Server
  • Exploiting this vulnerability could allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges
  • The attacked database must support the use of web tasks and the tasks have to first exist in order to be exploited

The patch eliminates the vulnerability by assigning proper permissions on the stored procedure for running web tasks. The patch also locks down permissions on the table that stores information about web tasks.

In addition to eliminating the elevation of privilege vulnerability, this cumulative patch includes the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000. The patch can be installed on systems running SQL Server 7.0 Service Pack 4 or SQL Server 2000 Service Pack 2, and the functionality included in the patch will be part of SQL Server 2000 Service Pack 3 when it's released.

Additional information on the SQL Server Security Patch (and download links) can be found at:
http://www.microsoft.com/technet/security/bulletin/MS02-061.asp


» See All Articles by Editor Forrest Stroud









The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Solutions

Whitepapers and eBooks

Microsoft Whitepaper: Top 10 Reasons to Upgrade to Windows Server 2008 R2
Articles: Build a More Agile Business with IBM
IBM Articles: Virtualization Delivers a Dynamic Infrastructure
Articles: IBM Offers Enhanced Measurement and Management for Energy Usage
Articles: IBM Helps Transformation to an Information-Based Enterprise
Microsoft Articles: Visual Studio 2010
Adobe Article: Adobe Helps PHP Developers Create Rich Internet Applications
Adobe Article: Java Developers Finding a Home at Adobe Flex
IBM Articles: A Smarter Business Needs Smarter Technology
Intel Xeon Processor Increases Server Efficiency and Capabilities
Intel Tech Brief: Automated Energy Efficiency for the Intelligent Enterprise
Oracle Whitepapers - Innovation for IT Leaders
Avaya Article: Communication-Enabled Mashups--Empowering Both Business Owners and IT
Internet.com eBook: IT Manager's Guide to Social Networking
Internet.com eBook: Get Ready for Windows 7
Microsoft Article: Expression Web 3--New Features for PHP Developers
Whitepapers: Manage Your Business Infrastracture with IBM
Whitepaper: Maximize Your Storage Investment with HP
Internet.com eBook: Becoming a Better Project Manager
Microsoft Article: Stress Free and Efficient Designer/Developer Collaboration
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

SAP Webcast: Crystal Reports Server--Do More. Spend Less.
Webcast: Connecting PHP to Microsoft Technologies
Video: Microsoft Partner Program Benefits
Video: Windows Azure Debugging Tips
 SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports
IBM Webcast: Speed Business Innovation with Reduced Cost and Risk
Video: Deploy Applications on Windows Azure
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Download: Microsoft Visual Studio 2010 Beta 2
Downloads & Free Trials: Microsoft's New Efficiency Resource Center
Get the Windows 7 SDK
 Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Microsoft Demo: Lower Costs with the SQL Server 2008 Value Calculator
Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
 All About Botnets
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES