Microsoft Puts Out 5 Security Bulletins Overnight
- By Scott Bekker
- July 25, 2002
Microsoft issued five security bulletins on Wednesday night, including one bulletin and patch addressing three critical vulnerabilities in SQL Server 2000.
Two of the bulletins dealt with SQL Server 2000, one dealt with Microsoft Exchange Server 5.5, another involved Microsoft Metadirectory Services 2.2 and a fifth bulletin was a reissue of an earlier patch for Windows Media Player.
The critical vulnerabilities in SQL Server, fixed in the patch included with MS02-39, involve a problem with a popular feature introduced in SQL Server 2000 -- multiple instances of the database on a single machine.
Prior to SQL Server 2000, only one instance of SQL Server could be run on a single server. With SQL Server 2000, users could run several distinct SQL Server 2000 databases on a single machine.
Single instances of SQL Server traditionally listened for network traffic on TCP port 1433, according to Microsoft. Multiple instances means new ports need to be assigned to each instance, and something needs to keep track of what port the instances are listening on.
Enter the SQL Server Resolution Service, the target of the three critical new vulnerabilities. Two are buffer overruns, each of which could result in a code execution scenario. The other is a denial-of-service vulnerability that, through the use of spoofing, an attacker could exploit to cause two machines running SQL Server 2000 to pass identical messages back and forth to each other, sapping resources to the exclusion of useful work.
All the other vulnerabilities addressed in bulletins issued late Wednesday were moderate threats, except the reissued Windows Media Player patch. In the cumulative patch for Windows Media Player sent out last month, Microsoft "inadvertently omitted" a file containing the fixes from its 56th Microsoft Security Bulletin of 2001 -- making the patch not quite as cumulative as advertised.
To view all the bulletins, visit Microsoft's TechNet security page:
Scott Bekker is editor in chief of Redmond Channel Partner magazine.