News

Microsoft Patches SQL Server Vulnerability

A flaw in the way SQL Server handles extended stored procedures makes the database vulnerable to a buffer overflow attack, Microsoft officials said in a security bulletin issued this week.

Microsoft has a patch for the vulnerability, a problem that the company classifies as a moderate risk.

Extended stored procedures are external routines written in a programming language such as C. They appear to users as normal stored procedures and are executed in the same way, according to the bulletin. Both SQL Server 7.0 and SQL Server 2000 ship with extended stored procedures for helper functions.

A flaw common to several of the extended stored procedures is a failure to perform input validation correctly, making them susceptible to buffer overruns.

Malicious users can exploit the flaw to cause the SQL Server service to fail or to cause code to run in the security context that SQL Server enjoys.

According to Microsoft, several best practices reduce the potential damage. DBAs are encouraged to run SQL Server in the lowest security context possible, known as the rule of least privilege, limiting the amount of damage an attacker could cause. Also, untrusted users should not be able to load and execute queries of their choice on a database server, and publicly accessible databases should filter inputs prior to processing.

The patch is available at http://www.microsoft.com/technet/security/bulletin/ms02-020.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.