News

Microsoft Patches SQL Server Vulnerability

A flaw in the way SQL Server handles extended stored procedures makes the database vulnerable to a buffer overflow attack, Microsoft officials said in a security bulletin issued this week.

Microsoft has a patch for the vulnerability, a problem that the company classifies as a moderate risk.

Extended stored procedures are external routines written in a programming language such as C. They appear to users as normal stored procedures and are executed in the same way, according to the bulletin. Both SQL Server 7.0 and SQL Server 2000 ship with extended stored procedures for helper functions.

A flaw common to several of the extended stored procedures is a failure to perform input validation correctly, making them susceptible to buffer overruns.

Malicious users can exploit the flaw to cause the SQL Server service to fail or to cause code to run in the security context that SQL Server enjoys.

According to Microsoft, several best practices reduce the potential damage. DBAs are encouraged to run SQL Server in the lowest security context possible, known as the rule of least privilege, limiting the amount of damage an attacker could cause. Also, untrusted users should not be able to load and execute queries of their choice on a database server, and publicly accessible databases should filter inputs prior to processing.

The patch is available at http://www.microsoft.com/technet/security/bulletin/ms02-020.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus