A bushel of security holes, three in Microsoft Corp.'s SQL Server and one in an encryption plug-in made by Network Associates Inc. for Microsoft's Outlook e-mail client, were patched by the vendors Thursday.
The three vulnerabilities in SQL Server, which all affect SQL Server 2000 and MSDE (Microsoft Data Engine) 2000, were deemed moderate risk in Microsoft's security bulletin, though two of them could possibly allow an attacker to take over an affected server, the Redmond, Washington, company said.
The first vulnerability comes as the result of a buffer overflow in the part of SQL Server that handles user authentication and the encryption of user passwords, Microsoft said. Were an attacker to successfully exploit this flaw, they could gain the ability to make changes to the database hosted on the server and might even be able to control the server itself, depending on the system's configuration, the company said.
The scope of the vulnerability is limited, however, because a user would need to have a valid log-on to the system in order to launch such an attack and would only be able to make changes with the privileges of the predefined security setting, which is not, by default, the highest level, Microsoft said.
The second vulnerability, which is also a buffer overflow, exists in the bulk data insertion component of SQL Server, which is used to copy large numbers of files in a database view or table, Microsoft said. If an attacker successfully exploited the vulnerability, they could modify the database or potentially take over the server, the company said.
The flaw is mitigated, though, because only users with Bulk administrator and full administrator rights have the ability to attack the vulnerability, Microsoft said.
The third SQL bug could allow an attacker to elevate their privileges on a system, possibly giving the attacker operating system-level control, due to incorrect registry key information in the part of SQL Server that stores service account information, Microsoft said.
A patch for these vulnerabilities, which are included in a cumulative patch for other SQL Server flaws, is available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-034.asp.
The security hole related to Outlook, which was discovered by security firm and bug hunters eEye Digital Security Inc., resides in the PGP (Pretty Good Privacy) plug-ins made by Network Associates that can be used with Outlook to encrypt e-mail. A specially designed e-mail can be sent to systems using the plug-ins that can run malicious code and compromise their PGP-encrypted communications, eEye said.
The vulnerability affects PGP Desktop Security 7.0.4, PGP Personal Security 7.0.3 and PGP Freeware 7.0.3, according to the company.
An Outlook user with the vulnerable components needs only to open an e-mail that includes attack code to be attacked, no attachment opening is required, eEye said.
A patch for the vulnerability can be downloaded at http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp