SQLServerCentral Article

Security Alert : SQL Server Security Bug and Patch


Happy Holidays database administrators! As a parting present before you go

home for your year-end break, Microsoft has announced a security problem in SQL

Server 7.0 and 2000. Thanks to the guys at @Stake, who found two vulnerabilities

in SQL Server 7.0 and 2000. One of the vulnerabilities allow a buffer in a SQL

Server function to be overrun and potentially allow a hacker to have access to

files and cause harm to your server. The other vulnerability allows a hacker to

issue a denial of service attack on your SQL Server through the C runtime


In the first problem, a hacker could potentially overrun one of SQL Server's

buffers in a function and could then impersonate whichever account is starting

your SQL Server. After the hacker obtains this access, he could crash your SQL

Server or run whichever program he wishes. The second problem allows the hacker

to gain partial access to the C runtime environment. After he obtains this

access, the most he can do is issue a denial of service attack on your SQL

Server, effectively preventing other users from getting into your system. This

bug would only effect SQL Servers running Windows NT, 2000 or XP.

The attack is issued through malicious queries that use the problem SQL

Server functions. Microsoft has already issued patches last week to address the

problem. Since these are two problems essentially, Microsoft has issued two

patches. Only apply the patch to fix the problem if you have SQL Server 7.0 SP3

or SQL Server 2000 SP1. The patch has been rolled into SQL Server 2000 SP2. The

second patch can be considered much more risky, since it modifies the C

environment on your computer, which low-level OS items use. Although I had no

problems applying this patch in my testing environment, make sure you test it in

your own as well. If a problem does occur in this patch, it could cause your OS

to become instable.

This problem can be limited by using best security practices. For example,

ensure that the account that starts your SQL Server and SQL Server Agent

services has limited authority. Often times, I see this user have administrator

rights This bug could really harm systems like that. The likeliness of this

causing a problem in your environment can also be limited if you control how

your system is queried. For example, by making sure users have a controlled

method of querying your system (non-ad hoc), you can lower the risk.

Read more details about the vulnerabilities and download the patches.