|
|
|
Group: MPulse Admin
Last Login: 11/5/2008 1:32 PM
Posts: 16,
Visits: 57
|
|
| Today, Microsoft released a security bulletin describing vulnerabilities that affect the database components shipped with MPulse. This vulnerability affects different versions of SQL Server to a different extent; a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. MS08-040: Four SQL Server and Windows SQL Server component vulnerabilities All server versions of Windows ship with a SQL Server component, called either the Windows Microsoft SQL Server Desktop Engine (WMSDE) or the Windows Internal Database (WYukon). Unfortunately, both SQL Server and its Windows components suffer from four security vulnerabilities. Three of the vulnerabilities differ technically, but share the same general characteristics: By executing specially crafted SQL queries, an authenticated attacker can exploit these vulnerabilities to execute code on your Windows server, gaining complete control of it. Note, however, that only authenticated SQL attackers can exploit these vulnerabilities. If the attacker can't obtain valid credentials on your SQL Server (even low-privileged credentials would do), he could not leverage this attack. The remaining information disclosure vulnerability allows a fairly privileged SQL user to gain access to customer data. It poses less risk than the three code execution flaws described above.
Microsoft rating: Important.
Randy Brous
MPulse Maintenance Software
800-944-1796 x1468
541-302-6680 FAX
rbrous@mpulsesoftware.com
http://www.mpulsesoftware.com
|
|
|
|