Microsoft Patches Vulnerable SQL Servers
Redmond moves to squelch a buffer overrun vulnerability affecting SQL Server 7.0 and 2000 database software.
Microsoft said the patch was for a buffer overrun vulnerability which affected its SQL Server 7.0 and 2000 database software. In an advisory, the company said the flaw could cause SQL failure or allow hackers to execute code in the security context in which SQL Server is running.
"SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in," Microsoft said.
"An attacker could exploit this vulnerability in one of two ways. Firstly, the attacker could attempt to load and execute a database query that calls one of the affected functions. Secondly, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for the attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters."
To ensure proper patch installation in 7.0, Microsoft has urged Webmasters to verify the individual files by consulting the date/time stamp of the files listed in the file manifest in the Microsoft Knowledge Base article.
For SQL Server 2000, verification of the individual files can be done by consulting the date/time stamp of the files listed in the file manifest here