Microsoft Security Advisory 961040

Hello, Bill here,


I wanted to let you know that we have just posted Microsoft Security Advisory (961040).

This advisory contains information regarding public reports of a vulnerability in SQL Server that could allow for remote code execution. We are aware that exploit code has been published on the Internet; however, we are not aware of any attacks attempting to use the reported vulnerability.


To successfully exploit this vulnerability an attacker must be local, or remote, authenticated user on the system.  However, if an attacker has already compromised a web server via SQL injection, they could exploit this vulnerability as an unauthenticated user.


It’s important to note that systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 SP3 and Microsoft SQL Server 2008 are not affected by this issue.  Also, because, by default, Microsoft SQL Server Desktop Engine 2000 (MSDE 2000) and SQL Server 2005 Express do not allow remote connections, attackers would have to already have local access to machines running MSDE 2000 and SQL Server 2005 Express to exploit this vulnerability.


The advisory contains workarounds that customers can use to help protect themselves. Our investigation of this exploit code has verified that it does not affect systems that apply the workarounds listed in the advisory.


Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.


We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information. In the meantime, we encourage customers to review the advisory and implement the workarounds.


Bill Sisk

*This posting is provided “AS IS” with no warranties, and confers no rights.*