10.03.02. Microsoft today released a cumulative security patch for SQL Server 7.0 and 2000 that includes the functionality of all previously released patches as well as fixes for four newly discovered vulnerabilities affecting SQL Server and MSDE. Microsoft has issued a critical severity rating for the patch.
Briefly, the new vulnerabilities fixed by the patch are:
- Unchecked Buffer in SQL Server 2000 Authentication Function – A buffer overrun in a section of code in SQL Server 2000 (and MSDE 2000) associated with user authentication that could allow an attacker to either cause the server to fail or gain the ability to overwrite memory on the server, thereby potentially running code on the server in the security context of the SQL Server service.
- Unchecked buffer in Database Console Commands – A buffer overrun vulnerability that occurs in one of the Database Console Commands (DBCCs) that ship as part of SQL Server 7.0 and 2000. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server.
- Flaw in Output File Handling for Scheduled Jobs – A vulnerability associated with scheduled jobs in SQL Server 7.0 and 2000, which in certain situations could allow an unprivileged user to submit a job that would create a file containing valid operating system commands in another user’s Startup folder or simply overwrite system files in order to disrupt system operation.
- Change in Operation of SQL Server – The patch also changes the operation of SQL Server to prevent non-administrative users from running ad hoc queries against non-SQL OLEDB data sources. Although the current operation does not represent a security vulnerability per se, the new operation makes it more difficult to misuse poorly coded data providers that might be installed on the server.
Several mitigating factors for the above vulnerabilities are addressed in the Security Bulletin. Additionally, specific details on how the patch eliminates the vulnerabilities can be found in the Frequently Asked Questions of the Security Bulletin.
The patch can be installed on systems running SQL Server 7.0 Service Pack 4 or SQL Server 2000 Service Pack 2, and the functionality included in the patch will be part of SQL Server 2000 Service Pack 4 when it’s released.
Additional information on the SQL Server Security Patch (and download links) can be found at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-056.asp