Microsoft Patches SQL Server Security Hole - 23 Mar 2000

Trying to keep hackers out of your systems without staying abreast of the latest security announcements is a little like playing video games against a PlayStation master who knows the "secret codes" when you don't. The odds aren't fair, and you'll probably end up dead.

To keep up-to-date on security announcements and patches for Microsoft products, subscribe to the Microsoft Product Security Notification Service. For more-detailed information and solid editorial coverage of Microsoft security topics, you should also subscribe to Windows 2000 Magazine Security UPDATE, one of our sister email newsletters. (To subscribe to the Security UPDATE, go to or send an email to [email protected].)

If you subscribe to either free service, you already know about the SQL Server security patch Microsoft released March 8. An answer to an FAQ for this security patch says: "This vulnerability could allow a remote user to submit commands of his or her choice to a SQL Server or MSDE \[Microsoft Data Engine\] database, or potentially to the system hosting a SQL Server or MSDE database. The commands would be executed with the full privileges of the owner or administrator of the database."

All security patches are important, but you'll want to apply this one immediately. Without the patch, anyone can run a particular type of query using a particular form and gain sa rights, even if he or she connected to SQL Server as a regular user. What are the "particulars" for running the query? I'm not going to say because it would make life easier for a potential hacker. But be warned: If I know how to crack a SQL Server without this patch, other people know as well. Apply the patch now. (You can find FAQs about this vulnerability and the patch at

In a perfect world, all systems would be bug-free and I'd sail my luxury yacht to my private Caribbean island on weekends. I'm not holding my breath that either scenario will become reality any time soon. I could bash Microsoft for shipping a product with a serious bug (consider yourself chastised, Microsoft), but holes like this can and do appear on all platforms from time to time. Although it's wishful thinking to expect our systems will never have security bugs, we can demand that vendors supply fixes immediately. And in fairness to Microsoft, the bug is relatively obscure (no one discovered it until about 2 weeks ago) and Microsoft quickly provided a fix.

Giving credit where credit's due, Sven Hammesfahr of Munich, Germany, first reported the security problem to SQL Server Magazine and Microsoft. I'd like to thank Sven for not publicizing the bug until Microsoft could provide a fix. What should you do if you find something you think might be a serious security problem with a Microsoft product? The quickest and easiest way to report the problem is to send an email message to [email protected], an alias the Microsoft engineers who address security problems actively monitor. In this security bulletin's case, the SQL Server team was busily working on a patch within hours of Sven's initial email message.

Are you still reading? You should be patching your SQL Server!

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.