Microsoft has patched a buffer overflow vulnerability in its SQL Server database software, it said on Wednesday. The bug could have caused the software to fail when establishing ad-hoc data connections to remote data sources.
The flaw affects Microsoft SQL Server 7.0 running on Windows 2000. An error in the checking of names for data providers could cause a buffer overrun error when attempting to establish a connection to less-often used data sources, Microsoft said in a security bulletin dated February 20. A buffer overrun could cause the SQL Server service to fail, or cause code to run in the security context of the SQL Server, thus compromising server security, Microsoft said.
The risk to corporate users is only likely to be moderate, according to Microsoft, since SQL Server can be configured to run in a security context chosen by the administrator. If the rule of least privilege is used, that would minimise the amount of damage an attacker could achieve, Microsoft said.
Buffer overflow flaws are common bugs found in software. In the case of the hole found in Microsoft's SQL server, "most of the vulnerability is related to the privileges given by the systems administrator, so ordinary users are limited in what they can do", said Allan Bell, Sydney-based senior marketing manager for security software vendor Network Associates.
Although holes in software open enterprises to vulnerability, some flaws are harder to take advantage of, Bell said. However, the best way to protect any organisation is to have up-to-date antivirus and firewall protection so that no virus or trojan horse application can take advantage of existing vulnerabilities, he said.
Links to the appropriate patches are available on Microsoft's security bulletin, located at http://www.microsoft.com/technet/security/bulletin/ms02-007.asp.