April 8, 2005 at 8:20 am
A SQL server that has SP3 or has otherwise been patched does not mean that it will always stay patched. Sometimes components install previous versions of vulnerable libraries.
Is the above mentioned is true?
Thanks
Shas3
April 8, 2005 at 8:38 am
Yes, unfortunately, it can be true.
A classic example is Microsoft released a memory leak hotfix after the patch that guarded a SQL Server against what ended up being SQL Slammer. The memory leak hotfix had an old version of the net-library DLL and did prompt the user on whether or not to overwrite with an older file. Any users who did found themselves unpatched for Slammer. That was one of the reasons why some people who had applied the patch found themselves compromised when the outbreak occurred.
K. Brian Kelley
@kbriankelley
April 8, 2005 at 8:39 am
I've never heard of this happening. How would some dll or other component get unregistered with SQL complaining or outright failing? You can't even revert back using Add-Remove Programs. My overall guess is no this could never happen, but I suppose if someone who had a lot of spare time on their hands deliberately tried and knew enough about SQL internals... By the way what components get installed separately?
Francis
April 8, 2005 at 8:53 am
The component in question was re-registered by the memory hotfix (actually handle). Here is the hotfix in question:
Note, if you scroll down in the article you'll find the following text:
NOTE: The security patches described in Microsoft Security Bulletins MS02-039, MS02-043, MS02-056 and the original release of the security patch described in MS02-061 (released on October 16, 2002) do not contain the Q317748.exe patch discussed in this knowledge base article. This patch was subsequently discovered to be required to ensure normal operation of SQL Server.
If you have applied any of these security patches and decide to apply the patch from this Knowledge Base article you must answer "no" if prompted to overwrite files to ensure that you do not overwrite files from the security patch.
Reason being it re-exposed SQL Server to this vulnerability.
K. Brian Kelley
@kbriankelley
April 8, 2005 at 9:03 am
Brian I had to read your explanation a couple of times to understand. Not because you weren't clear, but it is complex. If prompted to overwrite some library it's important to understand the implications. I was thinking more of a hack of sorts where some library gets overwritten without anyone knowing about it. I know I'm going to be more careful about applying patches and testing after reading this. Even if this seems to be more of an issue with hotfixes than actual SPs. Thanks for the clarification.
Francis
April 8, 2005 at 9:04 am
Thanks for the answer Brian. I can't believe this is true. So even though I do have sp3 rite now its not really sp3 since couple of file got replaces with older version. So do we need to re install sp3
Thanks
Shas3
April 8, 2005 at 9:07 am
Shas3 are you saying you are having this issue? Did you apply some hotfix and you now have some problem? Which hotfix did you apply?
Francis
April 8, 2005 at 9:11 am
Are you sure files got replaced by older versions? I gave an example where that is possible, but you'll have to investigate your own environment. Typically you can do this by looking at the file versions, although admittedly these sometimes are incorrect. In order to "get back" to SP3, I believe you'd be able to re-install the service pack, however, in a situation like this you're best bet is to get in contact with Microsoft Support in case there are any "gotchas."
K. Brian Kelley
@kbriankelley
April 8, 2005 at 9:54 am
Brian, It is under investigation rite now. This just I am collecting data for the documentation. Right now we don't have any problems, at least for now. Our NT Support ran a scan for slammer vulnerability and it shows no SP installed on couple of servers even though we have SP3 installed on all. @@Version show correct number for sp3, however the report from SQL Scan shows no SP
Shas3
April 8, 2005 at 11:58 am
In my blog today I have a link to an article by Chris Andrews, a SQL Server Security guru. Generally @@VERSION is the most accurate way, but that may not be the case in your situation. There are some other methods he notes to use for your investigation. It's a good read.
K. Brian Kelley
@kbriankelley
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply