MS fixes tool flaw; another appears in SQL Server
- 22 August, 2002 08:30
A security vulnerability in a tool used by developers and select customers to download software from Microsoft Corp. Web sites could allow an attacker to take over vulnerable systems, according to a security alert distributed by Microsoft to some developers Tuesday.
The vulnerability is in the File Transfer Manager (FTM) program which Microsoft offers to its developers and volume-license customers, according to an e-mail the Redmond, Washington, company sent to a select group of FTM users. Microsoft said it believes that only a small number of its customers are affected by the flaw, although it didn't provide a ballpark number for how many might be affected.
Though the company only provided basic details about the existence of the flaw, a separate security alert released last week by Ukrainian security researcher Andrew Tereschenko, who was thanked in Microsoft's alert, provided more information. The vulnerabilities are both the result of flaws in ActiveX controls included in versions released before File Transfer Manager 4.0, which came out in June, he said in his alert.
The first hole, which can be exploited via a buffer overflow, could allow virtually any Web site to install an ActiveX control on a user's computer, he said. The second vulnerability exploits a man-in-the-middle attack -- in which the attacker intercepts traffic between a host and the target PC -- to download or upload any file from or to an affected PC, he said.
Tereschenko disputed Microsoft's claim that only a small number of customers are affected by the flaw.
The vulnerabilities could allow an attacker to take over affected systems, according to Microsoft's bulletin.
To repair the flaw, Microsoft urged users of File Transfer Manager to upgrade their software to version 4.0. The new version of the software is available at http://transfers.one.microsoft.com/ftm/install.
Separately, security research firm Next Generation Security Software Ltd. said Monday that it had discovered a vulnerability in Microsoft's SQL Server 7 and 2000 that could allow a user with low access privileges to overwrite files in the database.
The vulnerability exists in the SQL Server agent, a helper component used to restart the database service on SQL Server if it stops, NGSoftware said. Because the agent can accept jobs from low-privileged users by default, an attacker could create a specially crafted query that can, in some cases, cause the agent to overwrite files on the server, the group said.
NGSSoftware said that it had notified Microsoft of the problem in July but that the software company had not yet released a patch.
SQL Server should be configured to disallow low privileged users access to the job procedures in order to prevent the problem, NGSSoftware said.
The alert and more information on the work-around can be found at http://www.nextgenss.com/advisories/mssql-jobs2.txt.