New Security Patch for SQLXML Released

June 17, 2002

Microsoft recently released a SQLXML security patch for an unchecked buffer vulnerability, the most serious of which could run code of attacker's choice. SQLXML version 1 ships as part of SQL Server 2000, while SQLXML versions 2 and 3 are available for download separately. All three versions of SQLXML are affected by the vulnerability; version 1, however, is no longer supported, so users need to upgrade to one of the later two versions. System administrators who have enabled any version of SQLXML and enabled data queries over HTTP should install the patch immediately. The patch has been given a Moderate severity rating by Microsoft.

The "Unchecked Buffer in SQLXML Could Lead to Code Execution" vulnerability exists in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server. A second vulnerability, "Script Injection via XML Tag", exists in a function specifying an XML tag that could allow an attacker to run script on the user's computer with higher privilege.

There are a number of mitigating factors for the two vulnerabilities. In the Unchecked buffer in SQLXML ISAPI extension, the administrator must have set up a virtual directory structure and naming used by the SQLXML HTTP components on an IIS Server and the attacker must know the location of the virtual directory on the IIS Server that has been specifically set up for SQLXML. For the Script injection via XML tag, the user must have privileges on the SQL Server, the attacker must know the address of the SQL Server on which the user has privileges, and the attacker must lure the user to a website under their control. Further, queries submitted via HTTP are not enabled by default and Microsoft best practices recommends against allowing ad hoc URL queries against the database through a virtual root.

Additional information on the SQLXML Security Patch (and download links) can be found at:


» See All Articles by Editor Forrest Stroud