A pair of security holes in Microsoft Corp.'s SQL Server database could make the product vulnerable to a denial of service attack and to the execution of malicious code by an attacker, the company said. Patches to fix the holes are available for download from Microsoft's Web site.

The security problems affect SQL Server 2000 and SQL Server 7.0 and are related to the way these two versions of the product create and display text messages after a query is submitted, the company said in a security bulletin. Microsoft labeled the risk from the first flaw as "moderate" and from the second flaw as "low."

The first and more serious vulnerability results from the failure of the SQL Server text-generating functions to limit the size of the text to the buffer space allotted by the system. This can lead to a flaw known as buffer overflow, which could allow an attacker to execute code within the system. The extent of the damage that the attacker could cause would depend on how the database administrator has configured the product's security parameters. In the worst-case scenario, the attacker could gain "significant control over the database, and perhaps over the server itself" and be able to "add, delete, or change data in the database, ... reconfigure the operating system, install new software on it, or simply reformat the hard drive," according to the security bulletin.

The second vulnerability is related to C runtime functions for formatting text strings. The database calls these strings when it runs on Windows NT 4.0, Windows 2000 or Windows XP operating systems. The flaw can make the database vulnerable to a denial of service attack, Microsoft said. The C runtime is the set of executables and files that provide support for programs written in the C programming language, and all Windows platforms ship with a runtime for C, Microsoft said. A "format string" vulnerability occurs when "a function that accepts formatted text for printing doesn't properly validate it before using it," Microsoft said.

Microsoft is recommending that database administrators apply the patch for the first vulnerability to all systems running SQL Server 7.0 and SQL Server 2000. However, the patch for the second vulnerability should be applied "only to systems judged to be at high risk" for attack because if it turns out that the patch is itself flawed, it could have disastrous consequences in a system.

"The C runtime is fundamental to many operating system functions, including the ability to boot the system at all. Because of this, we believe the threshold for applying the patch should be higher," the bulletin reads.

The patch has been "thoroughly tested" but "we cannot perform the same level of testing (on a patch) as would be performed for a service pack or a new product version ... (so we) believe that it's prudent to only apply it to servers that are truly at risk," the bulletin reads. Otherwise, users are advised to wait until the next SQL Server service pack which will have the fix in it.

The security bulletin can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-060.asp.

ITworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine