A set of security holes, three in Microsoft's SQL Server and one in
an encryption plug-in made by Network Associates for Microsoft's
Outlook e-mail client, were patched by the vendors yesterday
(Thursday).
The three vulnerabilities in SQL Server, which all affect SQL
Server 2000 and MSDE (Microsoft Data Engine) 2000, were deemed
moderate risk in Microsoft's security bulletin, though two of them
could possibly allow an attacker to take over an affected server,
the company said.
The first vulnerability comes as the result of a buffer overflow in
the part of SQL Server that handles user authentication and the
encryption of user passwords, Microsoft said.
Were an attacker to exploit this flaw, they could make changes to
the database hosted on the server and might even be able to control
the server itself, depending on the system's configuration, the
company said.
The scope of the vulnerability is limited, however, because a user
would need to have a valid logon to the system to launch such an
attack and would only be able to make changes with the privileges
of the predefined security setting, which is not, by default, the
highest level, Microsoft said.
The second vulnerability, which is also a buffer overflow, exists
in the bulk data insertion component of SQL Server, which is used
to copy large numbers of files in a database view or table,
Microsoft said. If an attacker exploited the vulnerability, they
could modify the database or potentially take over the server, the
company said.
The flaw is minimised, though, because only users with Bulk
administrator and full administrator rights have the ability to
attack the vulnerability, Microsoft said.
The third SQL bug could allow an attacker to elevate their
privileges on a system, possibly giving the attacker operating
system-level control, because of incorrect registry key information
in the part of SQL Server that stores service account information,
Microsoft said.
A patch for these vulnerabilities, which are included in a
cumulative patch for other SQL Server flaws, is available at
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-034.asp
The security hole related to Outlook, which was discovered by
security firm eEye Digital Security, resides in the PGP (Pretty
Good Privacy) plug-ins made by Network Associates that can be used
with Outlook to encrypt e-mail.
A specially designed e-mail can be sent to systems using the
plug-ins that can run malicious code and compromise their
PGP-encrypted communications, eEye said.
The vulnerability affects PGP Desktop Security 7.0.4, PGP Personal
Security 7.0.3 and PGP Freeware 7.0.3, according to the
company.
An Outlook user with the vulnerable components needs only to open
an e-mail that includes attack code to be attacked, no attachment
opening is required, eEye said.
A patch for the vulnerability can be downloaded at
www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp