Microsoft warns of holes in SQL Server
By Juan Carlos Perez
(IDG) -- A pair of security holes in Microsoft Corp.'s SQL Server database could make the product vulnerable to a denial-of-service attack and to the execution of malicious code by an attacker, the company said. Patches to fix the holes are available for download from Microsoft's Web site.
The security problems affect SQL Server 2000 and SQL Server 7.0 and are related to the way these two versions of the product create and display text messages after a query is submitted, the company said in a security bulletin. Microsoft labeled the risk from the first flaw as "moderate" and from the second flaw as "low."
The first and more serious vulnerability results from the failure of the SQL Server text-generating functions to limit the size of the text to the buffer space allotted by the system. This can lead to a flaw known as buffer overflow, which could allow an attacker to execute code within the system. The extent of the damage that the attacker could cause would depend on how the database administrator has configured the product's security parameters. In the worst-case scenario, the attacker could gain "significant control over the database, and perhaps over the server itself" and be able to "add, delete, or change data in the database, ... reconfigure the operating system, install new software on it, or simply reformat the hard drive," according to the security bulletin.
The second vulnerability is related to C runtime functions for formatting text strings. The database calls these strings when it runs on Windows NT 4.0, Windows 2000 or Windows XP operating systems. The flaw can make the database vulnerable to a denial of service attack, Microsoft said. The C runtime is the set of executables and files that provide support for programs written in the C programming language, and all Windows platforms ship with a runtime for C, Microsoft said. A "format string" vulnerability occurs when "a function that accepts formatted text for printing doesn't properly validate it before using it," Microsoft said.
Microsoft is recommending that database administrators apply the patch for the first vulnerability to all systems running SQL Server 7.0 and SQL Server 2000. However, the patch for the second vulnerability should be applied "only to systems judged to be at high risk" for attack because if it turns out that the patch is itself flawed, it could have disastrous consequences in a system.
"The C runtime is fundamental to many operating system functions, including the ability to boot the system at all. Because of this, we believe the threshold for applying the patch should be higher," the bulletin reads.
The patch has been "thoroughly tested" but "we cannot perform the same level of testing (on a patch) as would be performed for a service pack or a new product version ... (so we) believe that it's prudent to only apply it to servers that are truly at risk," the bulletin reads. Otherwise, users are advised to wait until the next SQL Server service pack which will have the fix in it.
Microsoft launches 'Gold' security partner program
December 21, 2001
RELATED IDG.net STORIES:
Analysis: SQL Server steps up to process challenge
Microsoft gives SQL Server more XML fluency
MS: Security hole in SQL lets attackers take over
Microsoft to build common data store
FBI agency advises turning off vulnerable XP feature
Your security may be good today, but not tomorrow
Microsoft offers new security partner program
SQL vulnerability spoils holiday festivities
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
TECHNOLOGY TOP STORIES:
|Back to the top|