MS: Security hole in SQL lets attackers take over

A security flaw in Microsoft Corp.’s SQL Server 7.0 and SQL Server 2000 Gold can allow an attacker to take control of a targeted server, the company said in a security bulletin late Tuesday night. Microsoft issued a patch for the flaw at the same time it released the bulletin.

A hitch in the way database connections are handled by the SQL (structured query language) server could allow an attacker to hijack an administrator’s connection, thus gaining administrator privileges, the company said, but added that the vulnerability only exists in servers configured for Mixed Mode authentication, a configuration type Microsoft recommends against, and can only be exploited by users who already have access to the server.

When a user ends a database session with a SQL server, the connection that has just ended is temporarily cached. However, using a special kind of server query, an attacker could exploit this flaw to restart an administrator’s connection, thus gaining the administrator’s access privileges, according to the bulletin. If this were to occur, the attacker could make any changes to the database, including adding, changing or deleting data, and could run code of the attacker’s choice on the server, Microsoft said.

The bug is mitigated, however, due to the necessity that the server be configured for Mixed Mode authentication in order for the flaw to be usable, the company said. Mixed Mode authentication is a process by which the server attempts to authorize a user through Windows methods, but failing that uses SQL. This option is typically used on SQL servers hosted on Windows 95 and 98 systems and the company warns against it, Microsoft said.

Additionally, the bug is mitigated because the attacker would already have to be authorized by the server in order to restart a terminated connection.

The security bulletin and patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-032.asp

Microsoft Canada, in Mississauga, Ont., can be reached at http://www.microsoft.ca.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now