Microsoft Mends Three More Flaws
Flaws affect SQL Server, Windows XP Help and Support Center, Word and Excel.Microsoft Corp. on Wednesday issued patches for three new vulnerabilities, including a critical flaw in its SQL Server database software that enables an attacker to gain elevated privileges and run certain pieces of code on the machine. The flaw results from the combination of a stored procedure, an extended stored procedure and a weak permission on a table, which allow an authenticated user to run, update, insert or delete Web tasks on the SQL server. The intruder would be able to run any of the tasks in the context of the tasks creator, which is typically that of SQL Server Agent service account. The flaw affects SQL Server 7.0 and 2000.
The second vulnerability lies in the Windows XP Help and Support Center, which contains a file that should only be available to the system but is instead available to any Web page. The file is meant to send hardware information to Microsoft during the help process so the company can help users find device drivers. After uploading the XML file with the hardware information, the system then deletes it.