MS Fixes More Holes in SQL Server

Microsoft Corp. Thursday released patches for four new serious vulnerabilities in its SQL Server 2000 database software, two of which could give an attacker control over the database.

Two of the flaws are buffer overruns, one in a procedure thats used to encrypt SQL Server credentials and the other in a process used for the bulk insertion of data in SQL tables. A successful exploitation of either of these vulnerabilities would give the attacker significant control of the database, and perhaps the server, as well.

The third vulnerability is a privilege-elevation weakness that results from incorrect permissions for the registry key, which stores the SQL Server service account information, according to a Microsoft bulletin. An attacker who is able to exploit this flaw could elevate his account privileges, possibly to the operating system level.

Microsoft has included the fixes for these three issues in a cumulative patch for SQL Server 2000, available at support.microsoft.com/default.aspx?scid=kb;en-us;Q316333.

The fourth flaw also involves privilege escalation and affects SQL Server 7.0, Microsoft Data Engine 1.0 and SQL Server 2000. In order to facilitate automated installations of SQL Server 7.0, 2000 or a service pack, the applications collect and store install information in a file called setup.iss.

The administrator can provide a password to the installation routine, which is then stored in the setup file as well. Prior to SQL Server 7.0, service pack 4, such passwords were stored in plain text; in later releases, the passwords were encrypted using a weak encryption scheme, Microsoft said.

The setup files remain on the server after the installation is complete, and anyone who can log onto the system can access the files.

The patch for this vulnerability is also available online.

Related Stories:

• Microsoft Mends More Security Flaws
• Flaw Puts SQL Servers at Risk
• Trusting in Microsoft
• More Security Coverage