Multiple vulnerabilities have been detected in versions of Microsoft’s SQL, Outlook, Outlook Express and Internet Explorer products and the company is urging that patches be installed to plug the holes. In separate warnings, Microsoft issued a cumulative patch to eliminate three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not any previous […]
Multiple vulnerabilities have been detected in versions of Microsoft’s SQL,
Outlook, Outlook Express and Internet Explorer products and the company is
urging that patches be installed to plug the holes.
In separate warnings, Microsoft issued a cumulative
patch to eliminate three newly discovered vulnerabilities affecting SQL
Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or
MSDE) and confirmed a cross domain scripting flaw in Internet Explorer that
leaves WebBrowser applications like Outlook, Outlook Express and IE open to
hackers.
To add insult to injury, a worm targeting MS Windows users is squirming its
way around the Internet. The e-mail worm, which masquerades as ‘copyrighted
Microsoft code,’ is claiming to be a Microsoft Windows update and security
experts are warning it can spread through open networks.
MS SQL VULNERABILITIES
Regarding the MS SQL vulnerabilities , Microsoft warned of
a buffer overrun flaw in a procedure used to encrypt SQL Server credential
information that would let an attacker “gain significant control over the
database and possibly the server itself depending on the account SQL Server
runs as.”
The company said another buffer overrun vulnerability in a procedure that
relates to the bulk inserting of data in SQL Server tables has also been
identified.
The cumulative patch (available for download her
e) also covers a privilege elevation but that results because of
incorrect permissions on the Registry key that stores the SQL Server service
account information. Microsoft said an attacker could gain greater
privileges on the system than had been granted by the system
administrator — potentially even the same rights as the operating system.
Meanwhile, as Microsoft was urging installation of its latest patch,
security firm NGSSoftware issued a
separate warning that
Microsoft’s SQL Server 2000 contains functionality that allows a database
owner to populate a table with data with one fell swoop using the ‘BULK
INSERT’ query. NGSS said this functionality contains a remotely exploitable
buffer overrun vulnerability that can be exploited by an attacker to run
arbitrary code.
NGSS said the ‘BULK INSERT’ query will take a user supplied file name and
insert the contents of this file into a specified table. By supplying an
overly long
filename to the query, a buffer is overflowed and the saved return address
stored on the stack is overwritten. This allows the attacker to gain control
over the process’ execution.
It said SQL Server 2000 can be run in the security context of a domain
account or LOCAL SYSTEM, so depending upon the particular setup, an attacker
may be able to gain complete control over the vulnerable system.
CROSS SCRIPTING FLAW
Newport Beach, Calif. security consultants PivX
Solutions announced the discovery of “extremely high-risk”
vulnerabilities within Microsoft’s flagship Internet Explorer browser
product. It said the bug uses universal cross domain scripting, allowing the
arbitrary execution of programs, unprivileged reading of files, and stealing
of server cookies.
PivX, which released vulnerability alert ahead of a fix from Microsoft, has
ruffled the feathers of the software giant, but the security firm maintained
support for immediate full disclosure of flaws as soon as they are
discovered.
The company, which credited Danish researcher Thor Larholm with discovering
the bug, released a workaround/fix on its home
page to allow users to plug the holes ahead of a Microsoft patch.
The company said the vulnerability leaves apps that use WebBrowser control
vulnerable to a variety of attacks but can be circumvented if ActiveX
scripting is disabled.
WINDOWS WORM
To add to Microsoft’s security headaches, a worm comprising three
components — MSVXD.exe, MSVXD16.dll and MSVXD32.dll — is on the prowl,
masquerading as legitimate MS code. Security experts say the worm can drop
copies of itself in all subfolders and network folders and is unusual in the
way it masks and hides itself without networks.
Software security firm BitDefender, which issued the worm warning, said the
Win32.Worm.Datom.A virus resembles the FunLove worm and uses the same
spreading methods and is “troubling large, insufficiently protected
networks.”
“Taken separately, the (three components of the worm) cannot be considered
as malware, but together, they form a pretty malicious code” said Costin
Ionescu, Virus Researcher at BitDefender. “The worm has also the ability to
hide its Windows Registry keys in normal mode and to disable certain
security software installed on the system. This could mark an evolution for
viruses’ modus operandi,” he added.
BitDefender said the virus attempts to connect to the Microsoft’s home page
and drops copies of itself in all shared folders and subfolders in the
victim’s network. The company has issued a free removal tool
for the worm. Technical details on the worm’s threat and removal is
available at BitDefender’s viru
s section.
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
