-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

          Microsoft SQL Server and MSDE Malicious Query Vulnerability

March 21, 2000 18:00 GMT                                          Number K-027
______________________________________________________________________________
PROBLEM:       A security vulnerability has been identified in Microsoft SQL
               Server 7.0 and Microsoft Data Engine (MSDE) 1.0.
PLATFORM:      All platforms running SQL Server 7.0 and MSDE 1.0.
DAMAGE:        The remote author of a malicious SQL query may take
               unauthorized actions on a SQL Server or MSDE database or on the
               underlying system that was hosting the SQL Server or MSDE
               database.
SOLUTION:      Apply the patch given in the Security Bulletin below or else
               apply register settings as indicated in Frequently Asked
               Questions page given in the bulletin.
______________________________________________________________________________
VULNERABILITY  Risk is low. The attacker must have the right to submit queries
ASSESSMENT:    to the SQL Server or MSDE via ODBE, OLE DB, or DB-Library and
               be logged on using the SQL Server Security.
______________________________________________________________________________

[ Start Microsoft Bulletin ]

Microsoft Security Bulletin (MS00-014)
Patch Available for "SQL Query Abuse" Vulnerability
Originally Posted: March 08, 2000

Summary
Microsoft has released a patch that eliminates a security vulnerability in
Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0. The
vulnerability could allow the remote author of a malicious SQL query to
take unauthorized actions on a SQL Server or MSDE database or on the
underlying system that was hosting the SQL Server or MSDE database.
Frequently asked questions regarding this vulnerability and the patch can
be found at
http://www.microsoft.com/technet/security/bulletin/fq00-014.asp

Issue
Microsoft SQL Server 7.0 and MSDE 1.0 perform incomplete argument
validation on certain classes of remotely submitted SQL statements. If a
user is able to submit a particular form of a SQL Select statement to SQL
Server or MSDE, it is possible to take actions on the SQL data base or, if
the SQL Server or MDSE is operating in an account with elevated privileges
on the underlying system, on the underlying operating system itself.
In order to exploit this vulnerability, a user would have to have the
right to submit queries to the SQL Server or MSDE via ODBC, OLE DB, or
DB-Library and be logged on using SQL Server Security. The user would not
require any special privileges beyond the right to submit SQL queries.

Affected Software Versions
  Microsoft SQL Server Version 7.0 and Microsoft Data Engine (MSDE) 1.0.

Patch Availability
  http://www.microsoft.com/downloads/release.asp?ReleaseID=19132
Note: Additional security patches are available at the Microsoft Download
Center

More Information
Please see the following references for more information related to this
issue.
  Frequently Asked Questions: Microsoft Security Bulletin MS00-014,
  http://www.microsoft.com/technet/security/bulletin/fq00-014.asp.
  As soon as more information on this topic is available, it will be
  posted here.
  Microsoft TechNet Security web site,
  http://www.microsoft.com/technet/security/default.asp.

Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
Microsoft thanks Sven Hammesfahr http://www.itrain.de for reporting the
SQL Query Abuse vulnerability to us and working with us to protect
customers..

Revisions
  March 08, 2000: Bulletin Created.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION
OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

Last updated March 8, 2000
® 2000 Microsoft Corporation. All rights reserved. Terms of use.


[ End Microsoft Bulletin ]

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

    1.  Call the CIAC voice number 925-422-8193 and leave a message, or

    2.  Call 888-449-8369 to send a Sky Page to the CIAC duty person or

    3.  Send e-mail to 4498369@skytel.com, or

    4.  Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

K-017: Microsoft "Malformed RTF Control Word" Vulnerability
K-018: HP-UX - Security Vulnerability with PMTU Strategy
K-019: Microsoft - "Spoofed LPC Port Request" Vulnerability
K-020: Majordomo open() call Vulnerability
K-021: Malicious HTML Tags Vulnerability
K-022: FreeBSD - Asmon/Ascpu Vulnerability
K-023: FreeBSD - Delegate Proxy Server Vulnerability
K-024: Microsoft Systems Management Server Vulnerability
K-025: MySQL Password Authentication Vulnerability
K-026: Microsoft SQL Server Admin Login Encryption Vulnerability

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBONkWCbnzJzdsy3QZAQHbOAQAg6Pry3tHR6epHaIZZr/i+DhVL3QW/KTC
1XiHFJ13+tpfQzsialMB6FgQbmplmavNbnpj5QsWHMOgifl9lTZZAb3F15a9XddN
xu1qcb7Z2a9djfwEarQajpgJ3rsMpM2lbAkKR3D9LiyioLZl0n5MGmiowJoNTged
dRGbS9hOza4=
=WbcC
-----END PGP SIGNATURE-----