SYMPTOMS
SQL Server 7.0 provides a number of functions that enable
database queries to generate text messages. In some cases, the functions create
a text message and store it in a variable; in others, the functions directly
display the message. A vulnerability has been discovered with these functions.
Use of an invalid format type character may allow SQL Server to
overwrite an internal buffer that may overwrite an address in the SQL Server
process space with arbitrary data. If SQL Server overwrites an address in the
SQL Server process space with arbitrary data, SQL Server may potentially allow
you to execute arbitrary code within SQL Server or the SQL Server process may
abnormally terminate.
For additional information about this security fix, refer to
the following Web address:
Microsoft
Security Bulletin MS01-060RESOLUTION
To resolve this problem, obtain the latest
service pack for Microsoft SQL Server 7.0. For additional information, click
the following article number to view the article in the Microsoft Knowledge
Base:
301511 INF: How to Obtain the Latest SQL Server 7.0 Service Pack
: The following hotfix was created prior to Microsoft SQL Server
7.0 Service Pack 4.
Microsoft recommends that you apply this hotfix
to your SQL Server 7.0 installation. SQL Server 7.0 Service Pack 3 is required
to apply this fix.
For more information about how to obtain SQL
Server 7.0 Service Pack 3, please see the following article in the Microsoft
Knowledge Base:
274799 How to Obtain Service Pack 3 for Microsoft SQL Server 7.0
: SQL Server 7 (7.00.1020), or later, already contains the fix;
therefore, you do not need to apply the hotfix if you are using SQL Server 7
(7.00.1020) or later.
Alpha
The following
file is available for download from the Microsoft Download
Center:
Release Date: JAN-24-2002
For additional information about how
to download Microsoft Support files, click the following article number to view
the article in the Microsoft Knowledge Base:
119591 How To Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
Intel
The following
file is available for download from the Microsoft Download
Center:
Release Date: JAN-24-2002
For additional information about how
to download Microsoft Support files, click the following article number to view
the article in the Microsoft Knowledge Base:
119591 How To Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
To ensure that
you have properly installed the fix, run the following command from Query
Analyzer or from OSQL the command prompt:
"SELECT
@@VERSION" (without the quotation marks)
Depending
on your platform, the result you receive is either:
- "Microsoft SQL Server 7.00 - 7.00.1020 (Intel X86)" or
greater.
-or- - "Microsoft SQL Server 7.0 - 7.00.1020 (Alpha)" or
greater