MS fixes tool flaw; another appears in SQL Server

A security alert was issued by Microsoft Corp. Tuesday to select customers and developers over a vulnerability in its File Transfer Manager (FTM) program that could allow an attacker to take over vulnerable systems.

The flaw can be found in the program which Microsoft offers to its developers and volume-license customers, according to an e-mail the Redmond, Wash., company sent to a select group of FTM users. Microsoft said it believes that only a small number of its customers are affected by the flaw, although it didn’t provide a ballpark number for how many might be affected.

Though the company only provided basic details about the existence of the flaw, a separate security alert released last week by Ukrainian security researcher Andrew Tereschenko, who was thanked in Microsoft’s alert, provided more information. The vulnerabilities are both the result of flaws in ActiveX controls included in versions released before File Transfer Manager 4.0, which came out in June, he said in his alert.

The first hole, which can be exploited via a buffer overflow, could allow virtually any Web site to install an ActiveX control on a user’s computer, he said. The second vulnerability exploits a man-in-the-middle attack, in which the attacker intercepts traffic between a host and the target PC to download or upload any file from or to an affected PC, he said.

Tereschenko disputed Microsoft’s claim that only a small number of customers are affected by the flaw.

To repair the flaw, Microsoft urged users of File Transfer Manager to upgrade their software to version 4.0. The new version of the software is available at http://transfers.one.microsoft.com/ftm/install.

Separately, security research firm Next Generation Security Software Ltd. said Monday that it had discovered a vulnerability in Microsoft’s SQL Server 7 and 2000 that could allow a user with low access privileges to overwrite files in the database.

The vulnerability exists in the SQL Server agent, a helper component used to restart the database service on SQL Server if it stops, NGSoftware said. Because the agent can accept jobs from low-privileged users by default, an attacker could create a specially crafted query that can, in some cases, cause the agent to overwrite files on the server, the group said.

NGSSoftware said that it had notified Microsoft of the problem in July but that the software company had not yet released a patch.

SQL Server should be configured to disallow low privileged users access to the job procedures in order to prevent the problem, NGSSoftware said.

Representatives from Microsoft Canada were not immediately available for comment

The alert and more information on the work-around can be found at http://www.nextgenss.com/advisories/mssql-jobs2.txt.

– With files from IDG News Service

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

IT World Canada Staff
IT World Canada Staffhttp://www.itworldcanada.com/
The online resource for Canadian Information Technology professionals.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now