[thelist] FW: Microsoft Security Bulletin (MS99-059)

Scott Dexter sgd at ti3.com
Tue, 21 Dec 1999 10:14:14 -0600
Previous message: [thelist] ASP - Response.Write
Next message: FP2K server extensions (was: RE: [thelist] ASP - Response.Wri te)
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]
sgd
--
think safely

> -----Original Message-----
> From: Microsoft Product Security [mailto:secnotif@MICROSOFT.COM]
> Sent: Monday, December 20, 1999 7:40 PM
> To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
> Subject: Microsoft Security Bulletin (MS99-059)
> 
> 
> The following is a Security  Bulletin from the Microsoft 
> Product Security
> Notification Service.
> 
> Please do not  reply to this message,  as it was sent  from 
> an unattended
> mailbox.
>                     ********************************
> 
> Microsoft Security Bulletin (MS99-059)
> --------------------------------------
> 
> Patch Available for "Malformed TDS Packet Header" Vulnerability
> Originally Posted: December 20, 1999
> 
> Summary
> =======
> Microsoft has released a patch that eliminates a security 
> vulnerability in
> Microsoft(r) SQL  Server(r) 7.0. The vulnerability could 
> cause a SQL server
> to crash.
> 
> Frequently asked questions regarding this vulnerability can 
> be found at
> http://www.microsoft.com/security/bulletins/MS99-059faq.asp.
> 
> Issue
> =====
> If a specially-malformed TDS packet is sent to a SQL server, 
> it can cause
> the SQL service to crash. This vulnerability would not allow any
> inappropriate access to the data on the server, nor would it allow a
> malicious user to usurp any administrative control on the machine. An
> affected machine could be put back into service by restarting the SQL
> service. This vulnerability could only be remotely exploited 
> if port 1433
> were open at the firewall.
> 
> Affected Software Versions
> ==========================
>  - Microsoft SQL Server 7.0
> 
> Patch Availability
> ==================
>  - Intel:
>    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16923
>  - alpha:
>    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16924
> 
> NOTE: This patch does not locate the SQL folder and install 
> the patched
> files into it; instead,  you must copy the three files 
> contained in it to
> the MSSQL7/BINN folder.
> 
> NOTE: Additional security patches are available at the 
> Microsoft Download
> Center
> 
> More Information
> ================
> Please see the following references for more information 
> related to this
> issue.
>  - Microsoft Security Bulletin MS99-059: Frequently Asked Questions,
>    http://www.microsoft.com/security/bulletins/MS99-059faq.asp.
>  - Microsoft Knowledge Base (KB) article Q248749,
>    FIX: Possible Denial of Service Attack with Appropriate 
> NULL Bytes in
>    TDS Header,
>    http://support.microsoft.com/support/kb/articles/q248/7/49.asp.
>    (Note: It may take 24 hours from the original posting of 
> this bulletin
>    for this KB article to be visible.)
>  - Microsoft Security Advisor web site,
>    http://www.microsoft.com/security/default.asp.
> 
> Obtaining Support on this Issue
> ===============================
> This is a fully supported patch. Information on contacting Microsoft
> Technical Support is available at
> http://support.microsoft.com/support/contact/default.asp.
> 
> Acknowledgments
> ===============
> Microsoft acknowledges Kevork Belian for bringing this issue to our
> attention.
> 
> Revisions
> =========
>  - December 20, 1999: Bulletin Created.
> 
> -------------------------------------------------------------------
> 
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
> PROVIDED "AS IS"
> WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL 
> WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF 
> MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT 
> CORPORATION  OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING 
> DIRECT, INDIRECT,
> INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
> SPECIAL DAMAGES,
> EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN 
> ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  
> EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING  LIMITATION MAY NOT APPLY.
> 
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use
> 
>    *******************************************************************
> You have received  this e-mail bulletin as a result  of your 
> registration
> to  the   Microsoft  Product  Security  Notification   
> Service.  You  may
> unsubscribe from this e-mail notification  service at any 
> time by sending
> an  e-mail  to  
> MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing 
> the request,
> and can be anything you like.
> 
> For  more  information on  the  Microsoft  Security 
> Notification  Service
> please visit 
http://www.microsoft.com/security/services/bulletin.asp. For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
Previous message: [thelist] ASP - Response.Write
Next message: FP2K server extensions (was: RE: [thelist] ASP - Response.Wri te)
Return to the message index sorted by: [ date ] [ thread ] [ subject ] [ author ]