INF: SQL Server 2000 Security Update for Service Pack 1 (316426)
The information in this article applies to:
- Microsoft SQL Server 2000 (all editions) SP1
This article was previously published under Q316426 This article discusses a security or privacy issue that may
affect the operation of your computer. The information in this article is
provided "as-is" without warranty of any kind. The workaround or hotfix that is
described in this article addresses the issue as it is currently understood,
but may not protect against any undiscovered variants of this issue. Microsoft
recommends that you apply this cumulative patch or implement the workaround if
one is provided. SUMMARY Microsoft now distributes SQL Server security fixes as one
download file. Because the security fixes are cumulative, each new release
contains all of the security fixes that were included with the previous SQL
Server security fix release. This Microsoft Knowledge Base article contains a
list of all the security fixes that are available for SQL Server 2000 Service
Pack 1 (SP1). MORE INFORMATIONSQL Server Security FixesNon-Sysadmin User Can Execute XP_CMDSHELL If SQL Agent Proxy Account Revoked - Released January 29, 2002 After using SQL Server Enterprise Manager to disable
the non-sysadmin Job Step Proxy Account: - Non-Sysadmin users can still successfully execute the xp_cmdshell command.
- Jobs that use xp_cmdshell owned by non-sysadmin users, still successfully
execute.
Workaround for this Issue Do not disable the SQL Server Agent Proxy Account in
SQL Enterprise Manager. Instead, disable the SQL Server Agent Proxy Account by
using the following Transact-SQL batch:
EXECUTE msdb.dbo.sp_set_sqlagent_properties @sysadmin_only = 1
go
set noexec off set parseonly off
go
EXECUTE master.dbo.xp_sqlagent_proxy_account 'DEL'
go
SQL Server Text Formatting Functions Contain Unchecked Buffers - Released December 20, 2001 SQL Server 2000 provides a number of functions that
enable database queries to generate text messages. In some cases, the functions
create a text message and store it in a variable; in others, the functions
directly display the message. Microsoft discovered a vulnerability with these
functions. Use of an invalid format type character may allow SQL
Server to overwrite an internal buffer that may overwrite an address in the SQL
Server process space with arbitrary data. If SQL Server overwrites an address
in the SQL Server process space with arbitrary data, SQL Server may potentially
allow you to execute arbitrary code within SQL Server or the SQL Server process
may abnormally terminate. ResolutionThe following file is available for download from the Microsoft
Download Center: Release Date: JAN-29-2002 For additional information about how
to download Microsoft Support files, click the following article number to view
the article in the Microsoft Knowledge Base: 119591 How To Obtain Microsoft Support Files from Online Services Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file. After you
install the fix, the file version of Xpstar.dll should be 8.00.475 or later,
and the file version of Sqlservr.exe should be 8.00.428 or later.
REFERENCESFor additional information about
these security fixes, click the article numbers below to view the articles in
the Microsoft Knowledge Base: 304850 FIX: SQL Server Text Formatting Functions Contain Unchecked Buffers
| Modification Type: | Minor | Last Reviewed: | 8/9/2004 |
|---|
| Keywords: | kbdownload kbinfo KB316426 kbAudDeveloper |
|---|
|