News

SQL Patch Addresses 3 Critical Vulnerabilities

• By Scott Bekker
• 10/03/2002

Microsoft released a cumulative patch for SQL Server and the Microsoft Data Engine (MSDE) to fix three newly discovered critical vulnerabilities. While Microsoft has rolled together fixes for multiple vulnerabilities in a product into one patch regularly this year, rarely has one patch fixed more than one critical hole. The patch posted on the day that the SANS Institue and the FBI listed SQL Server generally as one of the top security vulnerabilities on Windows systems.

The vulnerabilities affect SQL Server 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0 and Microsoft Desktop Engine (MSDE) 2000. MSDE works with SQL Server.

The new flaws include two buffer overruns and a problem with the way the SQL Server Agent handles jobs scheduled by unprivileged users. The SQL Server team also used the patch to change the operation of SQL Server, to prevent non-administrative users from running ad hoc queries against non-SQL OLE DB data sources.

As a cumulative patch, it is also supposed to include all previous patches for SQL Server. The patch included in security bulletin MS02-56 is the third cumulative patch for SQL Server in recent months. One was released in July and another came out in August.

The security bulletin can be found here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-056.asp.

The first of the three new critical vulnerabilities in the patch is a buffer overrun associated with user authentication in SQL Server 2000 and MSDE 2000. Without successfully authenticating, an attacker could use the flaw to overwrite memory on the server, potentially running code in the security context of the SQL Server service. While the default setting for the SQL Server service is as a domain user, it would still give the attacker complete control of the SQL Server databases on the system. If port 1433 is blocked at the firewall, the flaw can't be exploited from the Internet.

The other buffer overrun vulnerability fixed in the patch results from a problem in one of the Database Console Commands included in SQL Server 7.0 and SQL Server 2000. The most serious case would enable an attacker to run code in the context of the SQL Server service, again. To exploit the vulnerability, the attacker would have to be able to authenticate to the server.

The vulnerability involving the SQL Server Agent occurs because unprivileged users can require output files when they create scheduled jobs that the agent executes in its own security context rather than the user's. "An unprivileged user could submit a job that would create a file containing valid operating system commands in another user’s Startup folder, or simply overwrite system files in order to disrupt system operation," Microsoft's bulletin states. The flaw affects SQL Server 7.0 and SQL Server 2000. An attacker must be able to authenticate on the affected SQL Server to exploit the vulnerability.

Microsoft also used the patch to change the operation of SQL Server to prevent non-administrative users from running ad hoc queries against non-SQL OLE DB data sources. "Although the current operation does not represent a security vulnerability, the new operation makes it more difficult to misuse poorly coded data providers that might be installed on the server," according to Microsoft.

Microsoft posted the patch Wednesday night. Earlier Wednesday, SANS and the FBI's National Infrastructure Protection Center (NIPC) released their annual Top 20 list of security vulnerabilities for Windows and Unix systems. The top three vulnerabilities for Windows systems, according to the list, were IIS, Microsoft Data Access Components and SQL Servers. For more information about the SANS/NIPC list, visit:
www.sans.org/top20/.