News

Microsoft Patches SQL Server Vulnerability

A flaw in the way SQL Server handles extended stored procedures makes the database vulnerable to a buffer overflow attack, Microsoft officials said in a security bulletin issued this week.

Microsoft has a patch for the vulnerability, a problem that the company classifies as a moderate risk.

Extended stored procedures are external routines written in a programming language such as C. They appear to users as normal stored procedures and are executed in the same way, according to the bulletin. Both SQL Server 7.0 and SQL Server 2000 ship with extended stored procedures for helper functions.

A flaw common to several of the extended stored procedures is a failure to perform input validation correctly, making them susceptible to buffer overruns.

Malicious users can exploit the flaw to cause the SQL Server service to fail or to cause code to run in the security context that SQL Server enjoys.

According to Microsoft, several best practices reduce the potential damage. DBAs are encouraged to run SQL Server in the lowest security context possible, known as the rule of least privilege, limiting the amount of damage an attacker could cause. Also, untrusted users should not be able to load and execute queries of their choice on a database server, and publicly accessible databases should filter inputs prior to processing.

The patch is available at http://www.microsoft.com/technet/security/bulletin/ms02-020.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Moving an Old VM to a New Hyper-V Host

    So you want to know whether a Hyper-V virtual machine built on a legacy host will be supported by a newer server? There's a PowerShell command for that.

  • Microsoft Previews Azure Bastion Service for Private VM Access

    Microsoft on Tuesday announced a preview of the Azure Bastion service, which lets a user connect to an Azure virtual machine (VM) using a private Internet connection.

  • Microsoft Deprecating Windows To Go

    Microsoft plans to put an end to its Windows To Go product in the near future, according to a Friday support article.

  • Microsoft Releases Hyper-V Server 2019 After Long Delay

    Acknowledging that the release took "way too long," Microsoft has made Hyper-V Server 2019 available for download from the Microsoft Evaluation Center page.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.