July 25, 2002 10:40 AM PDT
Microsoft stomps on swarm of bugs
The four advisories--for SQL Server 2000, Exchange Server and metadirectory service--were released midweek in what is now becoming a new bulletin policy for the software giant, said Scott Culp, manager of Microsoft's security response team.
"We are trying to make them a bit more predictable (in timing)," he said. "System administrators...(and) companies are much more likely to have all their staff in place to handle the patches."
The most critical flaws occurred in SQL Server 2000, in a new feature that allows a single server to run multiple instances of the database software, opening up access to several stores of information.
Two of the vulnerabilities in the SQL Server software package are known buffer overflows. These flaws occur when an application does not handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the execution of the application.
"They could have full access to the database," Culp said.
A third SQL Server 2000 flaw outlined in the advisory could result in a denial-of-service attack. The problem occurs in a specific command that can be sent to the software: The application will send the identical command back to the source. An attack that sends a request and spoofs the Internet address so it points to another SQL Server instead of itself can create a situation where the servers are sending requests automatically like an informational ping-pong game at Internet speed.
"You could initiate this exchange and then it would be self-sustaining," Culp said. "There is a gee-whiz factor about (the attack), but it is only of moderate severity."
The critical advisory and patches for SQL Server 2000 and the three moderate advisories and patches (SQL Server 2000, Exchange Server and metadirectory service) can be found on Microsoft's security Web page.