Sybase Patches Database Server Holes

By Lisa Vaas  |  Posted 2002-12-02 Print this article Print

Three buffer overflow vulnerabilities found in the servers could let an attacker overwrite the stack and execute arbitrary code.

SHATTER, Application Security Inc.s security and development team, last week discovered three new potential security holes in Sybase Inc. database servers. The team, aka Security Heuristics of Application Testing Technology for Enterprise Research, found the following vulnerabilities, which could theoretically enable an attacker to overwrite the stack and execute arbitrary code: DBCC CHECK VERIFY buffer overflow, DROP DATABASE buffer overflow and xp_freedll buffer overflow. Analysts say buffer overflow vulnerabilities such as these are a "dime a dozen" nowadays. Still, users have to stay on top of them, just in case. "Its a constant reminder that you can never be truly secure," said Pete Lindstrom, an analyst with Spire Security, in Malvern, Pa. "Youre never quite sure if theyre incredibly significant or if they can be incredibly significant down the road."
Tom Traubitz, senior marketing manager for Sybase, in Dublin, Calif., said the vulnerabilities are "hypothetical," in that the only persons who would have access to exploiting them would be trusted users anyway.
Sybase issued patches last week. They are available at The patches are for the 12.x series of Adaptive Server Enterprise (ASE). There have been several point releases of ASE 12, but the major releases are ASE 12.0 and ASE 12.5. Application Security also has patches available within an update for AppDetective, the New York companys application penetration testing/vulnerability assessment tool. The update can be downloaded here. Editors Note: This story has been updated since its original posting to include more details about the Sybase patches.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel