Microsoft patches hole in SQL Server

Microsoft has released a patch for a security hole in its SQL Server 7.0 and 2000 databases that could allow an attacker to...

Microsoft has released a patch for a security hole in its SQL Server 7.0 and 2000 databases that could allow an attacker to execute code of their choice on an affected system by exploiting a buffer overflow vulnerability.

The vulnerability concerns Microsoft-written extended stored procedures - code that is used to help SQL Server perform tasks, according to Microsoft's advisory. A number of the extended stored procedures installed by SQL Server 7.0 and 2000 contain a buffer overflow vulnerability that could be exploited either by calling one of the affected functions in the database or by creating a specifically formed query on a Web-accessible database, Microsoft said. Either technique would allow an attacker to crash the server or run code of their choice in the server's security zone.

A buffer overflow is a vulnerability made possible by coding errors in which the amount of memory assigned to a task or application is overrun, often causing a system crash or takeover.

Microsoft rated the vulnerability moderate because code run on affected servers could only run in the server's security zone and best practices would block untrusted users from exploiting the holes.

More information about the vulnerability and the patch are available at www.microsoft.com/technet/security/bulletin/ms02-020.asp

Read more on Business applications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close