Microsoft Mends Three More Flaws

Flaws affect SQL Server, Windows XP Help and Support Center, Word and Excel.

Microsoft Corp. on Wednesday issued patches for three new vulnerabilities, including a critical flaw in its SQL Server database software that enables an attacker to gain elevated privileges and run certain pieces of code on the machine.

The flaw results from the combination of a stored procedure, an extended stored procedure and a weak permission on a table, which allow an authenticated user to run, update, insert or delete Web tasks on the SQL server. The intruder would be able to run any of the tasks in the context of the tasks creator, which is typically that of SQL Server Agent service account.

The flaw affects SQL Server 7.0 and 2000.

The second vulnerability lies in the Windows XP Help and Support Center, which contains a file that should only be available to the system but is instead available to any Web page. The file is meant to send hardware information to Microsoft during the help process so the company can help users find device drivers. After uploading the XML file with the hardware information, the system then deletes it.

By building a Web page that called this faulty function and enticing a user to visit, an attacker could then delete arbitrary files on the users machine by supplying its name to the help function. However, the attacker would need to know the exact name of the file in order to delete it.

The vulnerability could also be exploited by sending an HTML mail message containing the malicious code to a vulnerable user.

The third vulnerability is in a mechanism in both Word and Excel that allows data from one document to be inserted into and updated in another document. The feature, known as field codes, could be used by an attacker to steal data from a users document without the users knowledge.

In order to do so, the attacker would have to create a Word or Excel document that exploits the flaw, send it to a user and have the user open it and then return it to the attacker. The attacker would need to know the exact location of the file for this attack to succeed.

All versions of Word from 97 through 2002 and Word X, 98 and 2001 for Macintosh are vulnerable, as is Excel 2002.

Related Stories: