Microsoft Puts Out 5 Security Bulletins Overnight

Microsoft issued five security bulletins on Wednesday night, including one bulletin and patch addressing three critical vulnerabilities in SQL Server 2000.

Two of the bulletins dealt with SQL Server 2000, one dealt with Microsoft Exchange Server 5.5, another involved Microsoft Metadirectory Services 2.2 and a fifth bulletin was a reissue of an earlier patch for Windows Media Player.

The critical vulnerabilities in SQL Server, fixed in the patch included with MS02-39, involve a problem with a popular feature introduced in SQL Server 2000 -- multiple instances of the database on a single machine.

Prior to SQL Server 2000, only one instance of SQL Server could be run on a single server. With SQL Server 2000, users could run several distinct SQL Server 2000 databases on a single machine.

Single instances of SQL Server traditionally listened for network traffic on TCP port 1433, according to Microsoft. Multiple instances means new ports need to be assigned to each instance, and something needs to keep track of what port the instances are listening on.

Enter the SQL Server Resolution Service, the target of the three critical new vulnerabilities. Two are buffer overruns, each of which could result in a code execution scenario. The other is a denial-of-service vulnerability that, through the use of spoofing, an attacker could exploit to cause two machines running SQL Server 2000 to pass identical messages back and forth to each other, sapping resources to the exclusion of useful work.

All the other vulnerabilities addressed in bulletins issued late Wednesday were moderate threats, except the reissued Windows Media Player patch. In the cumulative patch for Windows Media Player sent out last month, Microsoft "inadvertently omitted" a file containing the fixes from its 56th Microsoft Security Bulletin of 2001 -- making the patch not quite as cumulative as advertised.

To view all the bulletins, visit Microsoft's TechNet security page:

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Office 365 Attack Simulator Now Supports Attachments

    The Attack Simulator in Office 365 tool has been updated and now has the ability to include message attachments in targeted campaigns, according to a Friday Microsoft announcement.

  • How To Disable Touch Input in Windows 10

    When the touchscreen on your Windows 10 laptop goes bad, there's no reason to throw that baby out with the bath water.

  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.