Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Microsoft Security Bulletin MS12-070 for SSRS

Today is black Tuesday for October 2012. One security bulletin is specifically for a component of the SQL Server stack: SQL Server Reporting Services. Here's the write-up from Microsoft:

Microsoft Security Bulletin MS12-070

This affects from SQL Server 2000 Reporting Services through SQL Server 2012 Reporting Services, all supported versions. This security bulletin provides a fix for a privilege escalation attack using cross-site scripting (XSS). If you have SQL Server Reporting Services in your environment, please read the bulletin and apply accordingly. At the present time there are no known attacks or publicly released exploits taking advantage of this vulnerability.

 

 

Comments

Posted by StormNorm on 10 October 2012

If SSRS component of SQL is not installed, does MS still recommend this update?

Posted by K. Brian Kelley on 11 October 2012

Microsoft does not indicate one way or the other specifically. However, based on the files affected, it looks like we should.

I wrote a follow-up (today's - 11 Oct - post) after a Twitter discussion with Andy Galbraith and Aaron Bertrand. Andy asked the same question and Aaron made the point that there was likely updates to more than just the SSRS specific files.

As is almost always the case, Aaron was spot on. When I went to check the file manifests for the patches, they covered non-SSRS files, to include sqlservr.exe. So I'd apply it.

Posted by kevin.unglesbee on 15 October 2012

At the bottom of the affected products table it says:

"This update is only offered to customers running SQL Server Reporting Services (SSRS)."  I think it only needs to be installed on servers with SSRS installed.

Posted by kevin.unglesbee on 15 October 2012

At the bottom of the affected products table it says:

"This update is only offered to customers running SQL Server Reporting Services (SSRS)."  I think it only needs to be installed on servers with SSRS installed.

Posted by Markus on 15 October 2012

I have two idle SQL Servers, neither with Reporting Services installed.  SQL2008 SP3.  I manually downloaded and applied the patch on one and it was successful. I was a little surprised that it did not notice that Reporting Services was not installed but it proceeded with the patch.

On the other one I used SQL2008 Setup, and went that route to check for updates and it did not find anything to update because Reporting Services is not installed.

When I was on the Microsoft Patch Tuesday conference call they said it only effects Reporting Services.  So, my thinking is that the vunerability will only be exploited if Reporting Services is installed so there is really no need to apply this patch to SQL Server if Reporting Services is not installed.

Thoughts?

Posted by K. Brian Kelley on 15 October 2012

I did a follow up to this post.

According to Microsoft, the vulnerability only exists in SSRS. And it's only vulnerable of SSRS is configured (which is logical). Therefore, if you have an automated deployment mechanism, like WSUS or SCCM, it's not going to detect and push unless SSRS is installed. I would assume that the install checking for updates uses the same logic.

So if you're looking to do the minimal impact, then it only needs to go on SSRS installs. However, if you're looking to get systems to a consistent build number, then it makes sense to apply to all, though it may be a manual effort. The catch with this update, like most SQL Server updates, are they are cumulative. Therefore, more than SSRS is affected by the update itself, though the bulletin specifically addresses an SSRS vulnerability.

Leave a Comment

Please register or log in to leave a comment.