This Microsoft Knowledge Base article contains information
about the release of a SQL Server 7.0 Service Pack 4 (SP4) and Microsoft Data
Engine 1.0 SP4 security patch. This security patch supersedes all previous
security patches that are documented in the following Microsoft Knowledge Base
article, including the security patch for Microsoft Security Bulletin MS02-061
for SQL Server 7.0:
327068Â
(http://kbalertz.com/Feedback.aspx?kbNumber=327068/
)
SQL Server 7.0 security update for Service Pack 4
Important notes
This package does not contain the security fixes that are in
Microsoft Data Access Components (MDAC) and SQL Server Analysis
Services.
This security patch resolves the following vulnerabilities:
- Named pipe hijacking
When SQL Server starts, it creates and then listens on a
specific named pipe for incoming connections to the server. A named pipe is a
specifically named one-way or two-way channel for communication between a pipe
server and one or more pipe clients. SQL Server checks the named pipe to verify
what connections can log on to the system that is running SQL Server to run
queries against data that is stored on the server.
A flaw exists in
the checking method for the named pipe that might allow an attacker who is
local to the system that is running SQL Server to hijack (gain control of) the
named pipe when another client uses an authenticated logon password to logon.
This would allow the attacker to gain control of the named pipe at the same
permission level as the user who is trying to connect. If the user who is
trying to connect remotely has a higher level of permissions than the attacker
does, the attacker will assume those rights when the named pipe is compromised.
- Named pipe denial of service
In the same named pipes scenario that is mentioned in the
"Named Pipe Hijacking" section of this bulletin, it is possible for an
unauthenticated user who is local to the intranet to send a very large packet
to a specific named pipe where the computer running SQL Server is listening and
cause it to become unresponsive.
This vulnerability would not allow
an attacker to run arbitrary code or elevate their permissions, but it may
still be possible for a denial of service condition to exist that would require
that the server be restarted to restore functionality. - SQL Server Buffer Overrun
A flaw exists in a specific Windows function that may allow
an authenticated user who has direct access to log on to the system running SQL
Server the ability to create a specially crafted packet that when sent to the
listening local procedure call (LPC) port of the system, can cause a buffer
overrun. If successfully exploited, this can allow a user who has limited
permissions on the system to elevate their permissions to the level of the SQL
Server service account, or cause arbitrary code to run.
Important notes
Read the following important notes about installing this security
patch on a computer that is running SQL Server 7.0 SP4.
An error message occurs when you connect to a Microsoft Windows NT 4.0-based computer by using named pipes
When you connect to a Windows NT 4.0-based computer that
is running SQL Server 7.0 by using named pipes, and that connection is made by
a non-admin user, you may receive an error message that is similar to one of
the following:
Message 1
Connection could not be established. SQL
Server does not exist
Message 2
Connection could not be established. Access
is denied.
To obtain a hotfix to resolve this error message, see the
following article in the Microsoft Knowledge Base:
823492Â
(http://kbalertz.com/Feedback.aspx?kbNumber=823492/
)
"Connection could not be established" error message when you connect to a Windows NT 4.0-based computer that is running SQL Server 2000 or SQL Server 7.0
Prerequisites
This security patch requires SQL Server 7.0 SP4.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
301511Â
(http://kbalertz.com/Feedback.aspx?kbNumber=301511/
)
How to obtain the latest SQL Server 7.0 service pack
For clustered SQL Server 7.0
installations, you must first uncluster SQL Server by running the SQL Server
Failover Wizard from the primary cluster node of each virtual SQL Server.
Active/Active
Follow these steps for an Active/Active installation:
- Make sure that the computer node where SQL Server 7.0 was
originally installed controls both the SQL Server resource groups.
- On each node of the cluster, run the Failover Setup Wizard
utility to remove that virtual SQL Server.
- After you uncluster SQL Server, you must run the hotfix
executable file on both the nodes, and complete the hotfix installation
successfully before you re-cluster SQL Server.
Active/Passive
Follow these steps for an Active/Passive installation:
- Make sure that the computer node where SQL Server 7.0 was
originally installed controls the SQL Server resources.
- On this same computer node, run the Failover Setup Wizard
utility to remove that virtual SQL Server.
- After you uncluster SQL Server, you must run the hotfix
executable file on the primary node only, and complete the hotfix installation
successfully before you re-cluster SQL Server.
Download information
The
following file is available for download from the Microsoft Download
Center:
Release Date: July 23, 2003
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591Â
(http://kbalertz.com/Feedback.aspx?kbNumber=119591/
)
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Installation information
This security patch supports the following Setup switches.
Collapse this tableExpand this table
| Switch | Description |
| /s | Disables the Self Extraction progress dialog box. Must come before the /a switch. |
| /a | This parameter must come before all the other parameters
except /s if you are running the hotfix by using the self-extracting EXE,
and you want to include parameters for unattended installations. This is a
mandatory parameter for the installer to run in the unattended mode. |
| /q | This switch causes the Setup program to run in silent
mode with no user interface. |
| BLANKSAPWD | This parameter means that the sa password for SQL Authentication is blank. If you enter this
parameter on computers that are running Windows NT or Windows 2000, the default
Windows Authentication logon is overridden and it tries to log on with a blank sa password. The correct format for this parameter is
BLANKSAPWD=1. This parameter is recognized only for
unattended installations. |
| SAPWD | Non-blank sa password. If you enter this parameter, it must be in the form of
SAPWD=yoursapassword. This parameter overrides
default Windows Authentication on computers that are running Windows NT or
Windows 2000, or BLANKSAPWD, if entered. |
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
330391Â
(http://kbalertz.com/Feedback.aspx?kbNumber=330391/
)
SQL Server hotfix installer
Restart requirement
You do not have to restart your computer after you apply this
security patch unless the hotfix installer prompts you to.
Removal information
The removal of this security patch is not supported unless certain
catalogs were backed up before you installed the security patch. For more
information, see the "How to Remove or Rollback the Hotfix" section in the
following Microsoft Knowledge Base article:
330391Â
(http://kbalertz.com/Feedback.aspx?kbNumber=330391/
)
SQL Server hotfix installer
Security patch replacement information
This security patch supersedes all previous security patches that
are documented in the following Microsoft Knowledge Base article, including the
security patch for Microsoft Security Bulletin MS02-061 for SQL Server 7.0:
327068Â
(http://kbalertz.com/Feedback.aspx?kbNumber=327068/
)
SQL Server 7.0 security update for Service Pack 4
File information
The English version of this package has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time item in Control Panel.
Date Time Version Size File name
-----------------------------------------------------------------------
04-Oct-2002 23:59 2000.34.4.0 28,944 bytes Dbmssocn.dll
06-Sep-2002 23:55 2000.33.6.0 53,520 bytes Distrib.exe
06-Sep-2002 23:55 2000.33.6.0 98,576 bytes Logread.exe
05-May-2003 18:34 54,904 bytes Opends60.dbg
05-May-2003 18:34 2000.41.2.0 155,920 bytes Opends60.dll
05-May-2003 18:34 132,096 bytes Opends60.pdb
06-Sep-2002 23:56 2000.33.6.0 250,128 bytes Rdistcom.dll
06-Sep-2002 23:55 2000.33.6.0 82,192 bytes Replmerg.exe
06-Sep-2002 23:56 2000.33.6.0 78,096 bytes Replres.dll
17-Sep-2002 22:52 7,941 bytes Securityhotfix.sql
06-Sep-2002 23:56 2000.33.6.0 160,016 bytes Snapshot.exe
30-May-2003 04:21 59,214 bytes Sp4_serv_uni.sql
15-Jan-2003 01:33 2000.37.13.0 344,064 bytes Sqlagent.exe
06-Sep-2002 23:55 2000.33.6.0 45,056 bytes Sqlcmdss.dll
16-May-2003 00:18 2000.41.14.0 2,629,632 bytes Sqldmo.dll
16-May-2003 13:29 2000.41.14.0 81,920 bytes Sqlmap70.dll
29-May-2003 23:11 4,370,404 bytes Sqlservr.dbg
30-May-2003 02:44 2000.41.28.0 5,062,928 bytes Sqlservr.exe
29-May-2003 23:11 3,589,120 bytes Sqlservr.pdb
04-Oct-2002 23:59 2000.34.4.0 45,328 bytes Ssmsso70.dll
16-May-2003 00:18 2000.41.14.0 24,848 bytes Ssnmpn70.dll
26-Sep-2002 20:30 28,408 bytes Ums.dbg
26-Sep-2002 20:27 2000.33.25.0 57,616 bytes Ums.dll
26-Sep-2002 20:29 99,328 bytes Ums.pdb
16-May-2003 13:31 2000.41.14.0 151,552 bytes Xpweb70.dll
Verification
To determine the version of SQL Server that you are running, use
the information in the following Microsoft Knowledge Base article:
321185Â
(http://kbalertz.com/Feedback.aspx?kbNumber=321185/
)
How to identify your SQL Server version and edition
After you apply this security patch, "7.00.1094" should be returned when you
run one of the following SELECT statements:
SELECT serverproperty('productversion')