AusCERT - AU-2008.0028 -- AusCERT Update - [Win] - Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution

HOME

About AusCERT

Membership

PKI Services

Training

Publications

Sec. Bulletins

Conferences

News & Media

Services

Web Log

Site Map

Site Help

Member login

AU-2008.0028 -- AusCERT Update - [Win] - Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution

Date: 23 December 2008
References: AA-2008.0266

Click here for printable version
Click here for PGP verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2008.0028 - [Win]
Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution
23 December 2008        
AusCERT Update Summary
        ----------------------

Product:              Microsoft SQL Server 2000 Service Pack 4
                      Microsoft SQL Server 2000 Itanium-based Edition Service Pack 4
                      Microsoft SQL Server 2005 Service Pack 2
                      Microsoft SQL Server 2005 x64 Edition Service Pack 2
                      Microsoft SQL Server 2005 with SP2 for Itanium-based Systems
                      Microsoft SQL Server 2005 Express Edition Service Pack 2
                      Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 2
                      Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 4
                      Microsoft SQL Server 2000 Desktop Engine (WMSDE)
                      Windows Internal Database (WYukon) Service Pack 2
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
                      Existing Account
CVE Names:            CVE-2008-4270
Member content until: Tuesday, January 20 2009

Ref:                  AA-2008.0266

Original Bulletin:    
  http://www.microsoft.com/technet/security/advisory/961040.mspx

Alert AA-2008.0266 was incorrectly sent out without a title. This has been
corrected with the title:

Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSVCEoyh9+71yA2DNAQLVtgP9H1igM1tM5XKrs14XVe/v6paSuOfY0zie
10Q3gUfn2uKb31gQOiCz7Yeo/z+c1Iy1HSQsx6z2y7xM6DbuPBePAWDn5VgcSGdr
D5nZiMT1dVOARGlneD8xjX2ovCxDcRvIemH2E6nDa+fPnzK6hVaaLEwtEe+nb9j3
a476FwlCIgM=
=UeHq
-----END PGP SIGNATURE-----