News

Microsoft Patches SQL Server Vulnerability

A flaw in the way SQL Server handles extended stored procedures makes the database vulnerable to a buffer overflow attack, Microsoft officials said in a security bulletin issued this week.

Microsoft has a patch for the vulnerability, a problem that the company classifies as a moderate risk.

Extended stored procedures are external routines written in a programming language such as C. They appear to users as normal stored procedures and are executed in the same way, according to the bulletin. Both SQL Server 7.0 and SQL Server 2000 ship with extended stored procedures for helper functions.

A flaw common to several of the extended stored procedures is a failure to perform input validation correctly, making them susceptible to buffer overruns.

Malicious users can exploit the flaw to cause the SQL Server service to fail or to cause code to run in the security context that SQL Server enjoys.

According to Microsoft, several best practices reduce the potential damage. DBAs are encouraged to run SQL Server in the lowest security context possible, known as the rule of least privilege, limiting the amount of damage an attacker could cause. Also, untrusted users should not be able to load and execute queries of their choice on a database server, and publicly accessible databases should filter inputs prior to processing.

The patch is available at http://www.microsoft.com/technet/security/bulletin/ms02-020.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.