Today, Microsoft released a security update—with a maximum security rating of Important—that addresses four vulnerabilities in SQL Server. One of the vulnerabilities could let an attacker run code and take over a system with full administrative rights, enabling him/her to perform administrator tasks such as installing new programs or viewing, changing, or deleting data. According to Microsoft, this security update fixes the vulnerabilities by "modifying the way that SQL Server manages page reuse, allocating more memory for the convert function, validating on-disk files before loading them, and validating insert statements."
Some of the SQL Server versions that are affected by the vulnerability and security update include SQL Server 2005, 2000, and 7.0; Microsoft Data Engine 1.0; and Microsoft SQL Server 2005 Express Edition. You can see a complete list of affected SQL Server and Windows versions at http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx.
Microsoft will be hosting a webcast tomorrow, July 9, 2008, at 11 a.m. Pacific time to address any questions its customers might have about this security update. To register for the webcast, go to http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032374629&EventCategory=4&culture=en-US&CountryCode=US.
For more information about this security update, go to http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx