Users of some versions of Protegrity Inc.s datbabase encryption technology, Secure.Data for Microsoft SQL Server 2000, need to patch their systems.
The Stamford, Conn., company late last month put out a patch to cover three buffer-overflow vulnerabilities in Secure.Datas XPs (extended stored procedures)—procedures that are used to do encryption and decryption on databases. XPs are native database hooks, the code for which is written by Protegrity.
Since being informed of the vulnerabilities, the company has tested not only the reported vulnerabilities but also all code, to "make sure this was no longer a problem," according to Tom McGough, senior product manager at Protegrity, in Stamford, Conn.
According to a CERT report, the vulnerability would allow non-privileged users to gain administrative access to the database and cause a denial-of-service attack.
Releases 2.2.2 and 2.2.3 of Secure.Data are affected. According to McGough, all existing customers have been informed about the vulnerability by the companys Global Support Team, which sent out the patch and installation instructions. Customers who purchase the product after Feb. 21 will not be affected, as the patch has already been included in a new service release, Secure.Data 22.214.171.124 for SQL Server 2000.
No Protegrity customers have reported security breaks, according to McGough.
To find out if the patch should be installed, customers should check that the version number of the existing protegrity.dll is less than 126.96.36.199. In a default installation, the .dll file is found in C:\Program Files\Protegrity\Secure.Data Server\Cartridge\Lib. To check version number, right-click on the file and choose Properties. Click on the version tab. If the last digit of the version number is less than 9, the patch must be installed.
The patch includes a new protegrity.dll file that fixes the buffer overflow vulnerability in the extended store procedures xp_pty_checkusers, xp_pty_insert and xp_pty_select.
Latest Security News:
Search for more stories by Lisa Vaas.