Microsoft Corp. posted a cumulative patch for its SQL Server 7.0 and 2000 database software late Wednesday, also patching four new vulnerabilities.
Also affected are Microsoft Data Engine (MSDE) 1.0 and MSDE 2000, products often used with SQL Server, Microsoft said in security bulletin MS02-056. The vendor rates the vulnerabilities "critical."
Two of the newly-patched flaws are buffer overrun flaws. One is in the user-authentication mechanism of SQL Server 2000 and MSDE 2000, and the other in the Database Console Commands, a utility allowing administrators to do housekeeping tasks, in SQL Server 7.0 and 2000, Microsoft said.
A successful attack on either of the two buffer overrun flaws could give an attacker complete control over the database, Microsoft said. A buffer overrun results when the amount of memory assigned to a program or task is overrun, often allowing an attacker to execute code.
The third newly-patched flaw relates to a feature that allows unprivileged users to schedule jobs in SQL Server 7.0 and 2000. The SQL Server agent should only perform job steps that are appropriate for the user's privileges, but in some cases will use its own, often higher privileges, Microsoft said.
The patch also fixes a fourth issue that Microsoft says could aid an attacker when a system is "poorly configured." After installing the patch, SQL Server is set to restrict unprivileged users to only performing queries against SQL Server data. This is to prevent these users from running queries against possibly incorrectly-secured non-SQL Server data, Microsoft said.
Microsoft security bulletin MS02-056 is at:http://www.microsoft.com/technet/security/bulletin/MS02-056.asp