SQL Server Blog by Jason Massie - The direct x86 and x64 SQL 2005 download is here .

Web Site

Home	August 21, 2008

tblMashedUp

SQL Blogs on MSDN

SQL Blogs on Technet

SQL Server 2008 @ Facebook

SQL YouTube Videos

SELECT feed FROM fGetRSS()

Subscribe to posts by Email

pBlogCategories

Boohoo (3)

bugfix (8)

Captain Varchar(MAX) (5)

Heroes Happen Here (10)

memory bottleneck (5)

Offtopic (29)

PASS (6)

Procedure Cache (4)

Professional Development (11)

social networking (8)

SQL Connections (5)

SQL performance tuning (23)

Windows Server 2008 (17)

WMI (8)

::fn_BlogRoll()

Arcane Code

Brent O

Kevin3NF

SQLStuff

Chris Shaw

Kimberly Tripp

SQL CAT

QP team

Linchi Shea

SQL Tips

SQLServerPedia

Storage Engine

Mark Garner

Moving Mars

Kevin Kline

SQL Crunch

SQLProg

SQL PSS

Slava Oks

SQLREM Blog

Adam Machanic

Bart Duncan

SQL Server

Bob Beauchemin

CraigFr

Ken Henderson

Rick Heiges

Zain

Kalen Delaney

Ian Jose

Gert Drapers

In Recovery..

Peter DeBetta

Euan Garden

Int-Con

Conor Cunningham

Derek Comingore

Dan Jones

SimonS

The Premiers

Madhivanan

Hugo Kornelis

Andrew Kelly

Louis Davidson

Paul Nielsen

Aaron Bertrand

DrSQL

SSQA

I like SQL

Brian Knight

Mr. Denny

Scalability Experts

Joe Sack

SQL Authority

tblTagCloud

Abstracts addition Affinity Aggregation allocation Always Analysis Announced another API Appending article Authentication backup be Behavior between Bootstrapper Breaking Build Cache Caching Check checksums Codeplex collection Connecting contest Controller Creating CTEs CTP CUBE cursors Data Database DATALENGTH Debugging Design Diagnosing Diagnostic Differences Documentation DTS Emergency enhancement Entity ETW Exchange execution Express Extensions Fall February Filestream Filtered group GROUPING have Hosting Idle impact Improvement Increase Index Indexes Inserts Instances Interoperability Introduction IO large Late LOB local Localized Magazine Maintaining Maintenance Management maps March Microsoft minutes missing Mix Never November Offline OLE Online operations operators optimizations Optimized Overlapping Package Page Paging Panacea parallel part Partial Partition partitioned Partitioning PASS Performance PFS plan Plans Practices problem Problems Procedure Program programmatically Programming Protection Queries query read recent Recursive Related released Reports Restore return ROLLUP ROWCOUNT Runtime Security Select Sequence sequential Server Services set SETS Shooting shorts sizes Solutions Sortable SPARSE Spool SQL SQLIOSim SSIS Stalled Star Statement Statements stats Stored strategy Stuck Studio Submission Subreports Suggested Summarizing system Table Tables Tampa Task Than there through Timeouts Total Traces Transaction transfer Tricks Trouble TSQL turning understand Understanding undocumented Unique unused upgrade Upgrading Useful Value variables VDI Vista Will Windows Wireless

Articles from security

RE: More on the SQL Security Issue

Posted by Jason Massie

on Wednesday, July 09, 2008 at 8:41 PM to SQL Server 2008, bugfix, security
148 Views | 0 Comments |

The changes in SQL Server to prevent the issues described in MS08-40 are already included in Cumulative Update 7+ for SQL Server 2005 Service Pack 2. This was confirmed by a MSFT contact. To quote him:

If CU#7 or CU#8 has been installed for SQL 2005 SP2, then you do not need to apply the patch.
The version of the patch is (last 4 digits ) 3233.
CU#7 is 3239 and CU#8 is higher.
Since the cumulative updates are indeed cumulative, CU#7 and CU#8 both have this security patch.

The OS may still need to be patched. SUS or Windows Update should be able to tell you that. Hopefully, this is the last SQL security post for a while. :)

email it! | |

Permalink

0 Comments

More on the SQL Security Issue

Posted by Jason Massie

on Tuesday, July 08, 2008 at 11:51 PM to bugfix, SQL Server 2005, security
188 Views | 3 Comments |

One of the security vulnerabilities was discovered by iDefense. They released their public advisory today with more details here. Here is an excerpt:

Remote exploitation of an integer underflow vulnerability within Microsoft Corp.'s SQL Server could allow a remote attacker to execute arbitrary code with the privileges of the SQL Server.
The vulnerability exists within the code responsible for parsing a stored backup file. A 32-bit integer value, representing the size of a record, is taken from the file and used to calculate the number of bytes to read into a heap buffer. This calculation can underflow, which leads to insufficient memory being allocated. The buffer is subsequently overfilled leading to an exploitable condition.

The Microsoft Security Vulnerability Research & Defense blog provided even more info later today. The full post is here. Lets look at 3 sentences from this post that tells us this is really only dangerous if you are not following best practices to begin with.

The vulnerability requires an attacker to be able to force the SQL Server to load a malicious MTF file from the local drive or from the network.
In order to remotely exploit this vulnerability, the attacker could leverage a separate SQL injection vulnerability and then trigger the SQL Server to load a malicious MTF file from the Internet.
Therefore, if you see SQL Server loading MTF files from the Internet, it is probably bad news.

Your app has to be injectable and it has to be open to port 80. If that is true, you are probably already running SQL as a domain admin or SA has a blank password. ;)

You should still test and deploy the hotfix ASAP. Do you trust all of the variables? Your code, MS's code, the disclosure.... Even if you do, there are still 3 other undisclosed vulnerabilities so get to patching.

email it! | |

Permalink

3 Comments

New SQL Server Security Hot Fix

Posted by Jason Massie

on Tuesday, July 08, 2008 at 12:11 PM to bugfix, SQL Server 2005, Windows Server 2008, security
309 Views | 0 Comments |

Well, it was a great run. SQL Server 2005's pristine security record is now tarnished. In fact, there has not been a new SQL Server security vulnerability since 2003. It looks like they took the SQL slammer lesson to heart.

Executive Summary

This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

1. Memory Page Reuse Vulnerability - CVE-2008-0085

An information disclosure vulnerability exists in the way that SQL Server manages memory page reuse. An attacker with database operator access who successfully exploited this vulnerability could access customer data.

2. Convert Buffer Overrun - CVE-2008-0086

A vulnerability exists in the convert function in SQL Server that could allow an authenticated attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could run code and take complete control of the system.

3. SQL Server Memory Corruption Vulnerability - CVE-2008-0107

A vulnerability exists in SQL Server that could allow an authenticated attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could run code and take complete control of the system.

4. SQL Server Buffer Overrun Vulnerability - CVE-2008-0106

The full article can be found here.

Don't know what "Windows Internal Database" is? I didn't either. Here is the wikipedia entry. I wonder if Windows 2008 will get an upgrade when Katmai RTM's.

Update: The binaries have been released. SQL 2005 gets bumped to version 9.00.3233.00. The direct x86 and x64 SQL 2005 download is here. Refer to the full article for 7.0, 2000, and express editions.

email it! | |

Permalink

0 Comments

Page 1 of 1 First Previous Next Last

| |