Happy Holidays database administrators! As a parting present before you go
home for your year-end break, Microsoft has announced a security problem in SQL
Server 7.0 and 2000. Thanks to the guys at @Stake, who found two vulnerabilities
in SQL Server 7.0 and 2000. One of the vulnerabilities allow a buffer in a SQL
Server function to be overrun and potentially allow a hacker to have access to
files and cause harm to your server. The other vulnerability allows a hacker to
issue a denial of service attack on your SQL Server through the C runtime
environment.
In the first problem, a hacker could potentially overrun one of SQL Server's
buffers in a function and could then impersonate whichever account is starting
your SQL Server. After the hacker obtains this access, he could crash your SQL
Server or run whichever program he wishes. The second problem allows the hacker
to gain partial access to the C runtime environment. After he obtains this
access, the most he can do is issue a denial of service attack on your SQL
Server, effectively preventing other users from getting into your system. This
bug would only effect SQL Servers running Windows NT, 2000 or XP.
The attack is issued through malicious queries that use the problem SQL
Server functions. Microsoft has already issued patches last week to address the
problem. Since these are two problems essentially, Microsoft has issued two
patches. Only apply the patch to fix the problem if you have SQL Server 7.0 SP3
or SQL Server 2000 SP1. The patch has been rolled into SQL Server 2000 SP2. The
second patch can be considered much more risky, since it modifies the C
environment on your computer, which low-level OS items use. Although I had no
problems applying this patch in my testing environment, make sure you test it in
your own as well. If a problem does occur in this patch, it could cause your OS
to become instable.
This problem can be limited by using best security practices. For example,
ensure that the account that starts your SQL Server and SQL Server Agent
services has limited authority. Often times, I see this user have administrator
rights This bug could really harm systems like that. The likeliness of this
causing a problem in your environment can also be limited if you control how
your system is queried. For example, by making sure users have a controlled
method of querying your system (non-ad hoc), you can lower the risk.
Read more details about the vulnerabilities and download the patches.
