A potentially dangerous vulnerability has been detected in several versions of Microsoft's SQL Server product and the company is warning system administrators that an intruder could use the flaw to elevate privilege levels.

In a security advisory issued Thursday, Microsoft issued patches to plug holes in the SQL Server 7.0, SQL Server 2000, Data Engine (MSDE) 1.0 and Desktop Engine (MSDE) 2000.

It is the second major fix to the SQL Server software this month and Microsoft said the current patch was in addition to the cumulative patch issued in early October to plug holes in the SQL Server 7.0 and 2000 products.


In describing the latest vulnerability as "critical," Microsoft said it would allow low-privilege users on the server to elevate privilege levels and make unauthorized changes to tasks created by other users.

"An attacker who is able to authenticate to a SQL server could delete, insert or update all the web tasks created by other users. In addition, the attacker could run already created web tasks in the context of the creator of the web task," the company warned.

The bug, which was reported to Microsoft by Next Generation Security Software Ltd. (NGSS), targets an extended storage procedure and weak permissions on a table combine to allow the unauthorized elevation of privileges.

The SQL Server supplies stored procedures for managing SQL Server and displaying information about databases and users. Microsoft said the flaw made it possible for an attacker to execute a SQL Server stored procedure that would run Web tasks.

"Since anyone who could authenticate to the SQL Server could run this stored procedure, it is possible for an attacker to run previously stored web tasks in the context of the person who created them, thereby potentially elevating his or her privileges," it warned.

Earlier this month, Microsoft's cumulative patch for the SQL Server fixed an unchecked buffer in SQL Server 2000 authentication function, an unchecked buffer in database console commands and a flaw in output file handling for scheduled jobs.

Back in August, CERT issued a warning that several vulnerabilities were detected in Microsoft SQL Server 7.0, Microsoft SQL Server 2000, and Microsoft SQL Server Desktop Engine 2000 products. Those flaws allowed remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts. Microsoft also issued a patch for that vulnerability.

Microsoft also issued two more security bulletins on Thursday to fix vulnerabilities in its popular Word and Excel applications and for the Windows XP operating system.

The patch for the Word and Excel applications (download here) fixes a vulnerability that allows an attacher to use field codes and external updates to steal information from a user.

"Certain events can trigger field code and external update to be updated, such as saving a document or by the user manually updating the links. Normally the user would be aware of these updates occurring, however a specially crafted field code or external update can be used to trigger an update without any indication to the user. This could enable an attacker to create a document that, when opened, would update itself to include the contents of a file from the user's local computer," the company warned.

Affected software include MS Word 2002, MS Word 2000, MS Word 97, MS Word 98, MS Word X for Macintosh, MS Word 2001 for Macintosh, MS Word 98 for Macintosh and MS Excel 2002. Microsoft issued a "moderate" rating on the bug and noted that most of the patches needed the installation of the the latest service pack first.

Another fix was issued (download here) to plug a hole in the Windows XP version of Help and Support Center.

"An attacker could exploit the vulnerability by constructing a web page that, when opened, would call an errant function in the XP Support Center and supply the name of an existing file or folder as the argument," the company said. It warned that the attempt to upload the file or folder would fail, but the file nevertheless would be deleted. "The page could be hosted on a web site in order to attack users visiting the site, or could be sent as an HTML mail in order to attack the recipient when it was opened," according to the advisory.

The vulnerability would not enable an attacker to take any action other than deleting files. It would not grant any form of administrative control over the system, nor would it enable the attacker to read or modify files.

Customers who have applied Windows XP Service Pack 1 are at no risk from the vulnerability.