Microsoft Security Bulletin (MS00-014): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-014 announces the availability of a patch that eliminates a vulnerability in Microsoft® SQL Server and Microsoft Data Engine (MSDE). The vulnerability could allow a remote user to take arbitrary action on a SQL Server or MSDE database or on the underlying platform that was hosting the SQL Server or MSDE database. Microsoft is committed to protecting its customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could allow a remote user to submit commands of his or her choice to a SQL Server or MSDE database, or potentially to the system hosting a SQL Server or MSDE database. The commands would be executed with the full privileges of the owner or administrator of the database.
In order to exploit the vulnerability, a user would have to be authorized through SQL Server Authentication mode connections to submit SQL Select statements to the server via ODBC, OLE DB or DB-Library. Users authorized through Windows NT or Windows 2000 Authentication cannot exploit this vulnerability.
What causes the vulnerability?
This vulnerability results from incomplete parameter checking in the SQL Server and MSDE software. The software should verify that the user has the privileges to execute these commands in a certain way, but fails to do so.
Could this occur accidentally?
It is very unlikely that this vulnerability could be exercised accidentally. A user would have to submit a specially formed SQL Select statement that is unlikely to be submitted in error.
Could this vulnerability be exploited remotely?
This vulnerability could be exploited remotely via ODBC, OLE DB or DB-Library. However, if the SQL Server or MSDE were on an Intranet and access to the SQL Server or MSDE port (by default, port 1433) was blocked, then the vulnerability could only be exercised from the local intranet.
Under what circumstances could this vulnerability be used to take control of a server platform.
If the SQL Server or MSDE service account was also the administrator account, or a highly privileged account on the server platform, then this vulnerability could be exploited to assume control of the underlying platform. If the database administrator account were an ordinary user account, or did not have such privilege, then exploitation of the vulnerability would be limited to the database itself.
Can I restrict my users so that they must use Windows NT or Windows 2000 Authentication?
Yes. You must set SQL Server or MSDE to Integrated Security Mode. The settings are documented in the Microsoft SQL Server 7.0 security white paper. In brief, you should set registry entry HKLM/Software/Microsoft/MSSQLServer/MSSQLServer/LoginMode to 1 for Integrated Security Mode.
Who should apply the patch?
All users of Microsoft SQL Server 7.0 and MSDE 1.0 should apply this patch if their server is accessible to users who authenticate using SQL Server Authentication. Alternatively, users may install SQL Server 7.0/MSDE 1.0 Service Pack 2, which is expected to be released in the near future and also contains code that eliminates this vulnerability.
What is MSDE?
MSDE is a database engine based on SQL Server technologies that is included in certain versions of Microsoft Office 2000 and Microsoft Visual Studio 6.0, and may be redistributed by third party software suppliers.
How do I tell I have MSDE installed on my computer?
From the command prompt, launch Regedit.exe or Regedt32.exe. If the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer is defined, then you have MSDE or SQL Server installed, and you should apply the patch or apply the workaround described in this security bulletin.
What does the patch do?
The patch eliminates the vulnerability by properly validating the parameters of SQL queries submitted by users via ODBC, OLE DB or DB-Library.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
Is there an alternative to applying the patch?
As an alternative to applying the patch, you can apply registry settings that will disable queries using ad hoc syntax. Applying the patch will not re-enable ad hoc queries for users - you must delete the registry keys you have added in order to re-enable ad-hoc heterogeneous query support from OLE DB data sources.
How do I apply the registry settings to disable ad hoc heterogeneous queries?
Copy the following lines and create a file with a name such as disable.reg, then simply double-click on the file. This will disable all ad-hoc heterogeneous query access via OLE DB providers from your SQL Server or MSDE installation. You can also manually add each of these registry keys.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\Microsoft.Jet.OLEDB.4.0] "DisallowAdhocAccess"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\MSDAORA] "DisallowAdhocAccess"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\MSDASQL] "DisallowAdhocAccess"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB] "DisallowAdhocAccess"=dword:00000001
How can I tell if I installed the patch correctly?
Use the following table to verify that you installed the patch correctly.
| If you are running on this platform... | And using this version... | You've installed the patch correctly if sqlservr.exe has these properties... |
Intel | 7.0 | Date: 3/1/2000 |
Alpha | 7.0 | Date: 3/1/2000 |
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
| • | The Microsoft TechNet Security web site is the best to place to get information about Microsoft security. |
| • | For information about SQL Server and SQL Server security, see http://www.microsoft.com/sql |
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
