New Elevation of Privileges SQL Server Security Patch Available

October 17, 2002

10.16.02.  Microsoft late tonight released a new security patch for SQL Server 7.0 and 2000. Microsoft has issued a critical severity rating for the "Elevation of Privilege in SQL Server web Tasks" cumulative patch.

The new security threat is an elevation of privilege vulnerability that occurs in a Microsoft-provided stored procedure, one extended stored procedure and weak permissions on a table. The vulnerability makes it possible for an attacker to execute a SQL Server stored procedure that could run web tasks. Since anyone who could authenticate to the SQL Server could run this stored procedure, it is possible for an attacker to run previously stored web tasks in the context of the person who created them, thereby potentially elevating his or her privileges.

Mitigating factors for the newly discovered vulnerability include:

  • It is necessary to be an authenticated user of the SQL Server
  • Exploiting this vulnerability could allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges
  • The attacked database must support the use of web tasks and the tasks have to first exist in order to be exploited

The patch eliminates the vulnerability by assigning proper permissions on the stored procedure for running web tasks. The patch also locks down permissions on the table that stores information about web tasks.

In addition to eliminating the elevation of privilege vulnerability, this cumulative patch includes the functionality of all previously released patches for SQL Server 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000. The patch can be installed on systems running SQL Server 7.0 Service Pack 4 or SQL Server 2000 Service Pack 2, and the functionality included in the patch will be part of SQL Server 2000 Service Pack 3 when it's released.

Additional information on the SQL Server Security Patch (and download links) can be found at:

» See All Articles by Editor Forrest Stroud