SQL Server 7.0 to 2005 Security Vulnerabilities Could Allow Elevation of Login Privileges
By: Tim Ford | Comments | Related: > Security
On a recent trip out west we were informed via radio that there were a series of earthquakes occurring off the coast of Vancouver Island. We happened to be sailing directly over the location of these earthquakes and never noticed anything, although the scientists tasked with monitoring such events were fully aware of the situation. You may wonder what this has to do with SQL Server. Well, you may not have been aware of the latest security release for SQL Server 2005 unless you were monitoring releases of this nature. At any rate, KB948109 was released in July and provides protection against vulnerabilities that would allow elevation of privileges by an attacker. While this security update is only a portion of the greater Microsoft Security Bulletin MS08-040 released in July, I am only focusing on this Knowledge Base article relating to Microsoft SQL Server 2005. The vulnerability and the updated code actually encompasses all versions of SQL Server 7.0 to SQL Server 2005.
This update (Vulnerabilities in Mi crosoft SQL Server Could Allow Elevation of Privilege) should be applied at your earliest opportunity to all instances of SQL Server 7.0 to SQL Server 2005 according to Microsoft. Information relating to what actions are prevented by this update, applicable editions of SQL Server, the known issues with the update and directions for updating your instances of Microsoft SQL Server can be found at the following Microsoft-supported websites:
- Microsoft Security Bulletin MS08-040 - Vulnerabilities in Microsoft SQL
Server Could Allow Elevation of Privilege (941203)
- High-level description of exposed vulnerability
- Listing of all software versions exposed to vulnerability
- Listing of all required service packs that must be installed prior to installing latest security update
- Security Update for SQL Server 2005 Service Pack 2 (KB948109)
- Detailed explanation of known issues with the installation of the latest security update KB948109
- Information on how to obtain the update executables
- Highly-detailed listing of the file attributes associated with this release.
- Executables for Itanium, x64, and x86 security upgrade
It is important to note that prior to initiating the update that you should back up all of your system databases. I also recommend backing up the tail of all your transaction logs for each user database on the instance. I did not see reference to either of these steps in the documentation, but it is a good practice to get in the habit of whenever you make a change to your SQL Server instances. As with all SQL Server 2005 service pack installations and security updates to date, you will need to stop services that relate to files being updated on the server during the installation process. This update requires that you stop the SQL Services. This measure will also stop the SQL Server Agent service by default as it depends upon the base SQL Server service to be running. An added requirement of this update is that the SQL Server VSS Writer service must be running. You can disable the service after completion of the update if you so wish.
An interesting result (interesting is a synonym for unfortunate in MY dictionary if you're playing along at home) of this update is that the settings for some of your SQL Server based services will be changed upon completion. My SQL Server, SQL Server Agent, and Full-Text Search services were all set to Manual Start Mode once the process completed. They were originally set to Automatic (for obvious reasons). Furthermore, while the Full Text Search service was up and running, SQL Server and SQL Server Agent services were not. I've also heard reports that SQL Server Reporting Services service is affected in a similar fashion: service stopped and set to Manual start. To resolve these issues, use the SQL Server Configuration Manager to change the service settings to Automatic and then start the affected services that are currently stopped.
You will notice after installation that running the SELECT @@version query will reflect the latest versioning for SQL Server which is 9.00.3068.00.
- Read through the information relating to this update in the links provided above.
- Analyze your environment and determine if your SQL Server instances have the current service pack and the latest security patches.
- Be sure to review the documentation for the latest upgrade to determine if it is cumulative with previous security upgrades or service pack releases.
About the author
View all my tips