Reported July 11, 2002, by Microsoft.
· Microsoft SQL Server 2000, all editions.
· Microsoft SQL Server 7.0, including Microsoft Data Engine (MSDE 1.0)
A vulnerability exists in SQL Server 2000 and SQL Server 7.0 (including MSDE 1.0) that can let an attacker compromise the vulnerable server. This vulnerability stems from the fact that the system stores the systems administrator password in the setup.iss and log files and doesn't remove the password when the installation is complete. Anyone capable of doing an interactive logon can access this password and these files.
The vendor, Microsoft, has released Security Bulletin MS02-035 (SQL Server Installation Process May Leave Password on System) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin. These patches are cumulative and address all previously discovered vulnerabilities in the affected product.