INTRODUCTION
This Microsoft
Knowledge Base article contains a list of all the security fixes that are
available for SQL Server 2000 Service Pack 3 (SP3), SQL Server 2000 Service
Pack 3a (SP3a), SQL Server 2000 Desktop Engine (MSDE) Service Pack 3 (SP3), and
SQL Server 2000 Desktop Engine (MSDE) Service Pack 3a (SP3a).
Important notes
- This cumulative package does not contain the security fixes
that are in Microsoft Data Access Components (MDAC) and Analysis
Services.
Here is a list of the vulnerabilities that are resolved by
this security patch:
- Named Pipe Hijacking
When SQL Server starts, it creates and then listens on a
specific named pipe for incoming connections to the server. A named pipe is a
specifically named one-way or two-way channel for communication between a pipe
server and one or more pipe clients. SQL Server checks the named pipe to verify
what connections can log on to the system that is running SQL Server to run
queries against data that is stored on the server.
A flaw exists in
the checking method for the named pipe that might allow an attacker who is
local to the system that is running SQL Server to hijack (gain control of) the
named pipe when another client uses an authenticated logon password to logon.
This would allow the attacker to gain control of the named pipe at the same
permission level as the user who is trying to connect. If the user who is
trying to connect remotely has a higher level of permissions than the attacker
does, the attacker will assume those rights when the named pipe is compromised.
- Named Pipe Denial of Service
In the same named pipes scenario that is mentioned in the
"Named Pipe Hijacking" section of this article, an unauthenticated user who is
local to the intranet might be able to send a very large packet to a specific
named pipe where the system running SQL Server is listening and cause it to
become unresponsive.
This vulnerability does not allow an attacker to
run arbitrary code or elevate their permissions; however, a denial of service
condition might still exist that requires you to restart the server to restore
functionality. - SQL Server Buffer Overrun
A flaw exists in a specific Windows function that may allow
an authenticated user who has direct access to log on to the system running SQL
Server the ability to create a specially crafted packet that when sent to the
listening local procedure call (LPC) port of the system, can cause a buffer
overrun. If successfully exploited, this can allow a user who has limited
permissions on the system to elevate their permissions to the level of the SQL
Server service account, or cause arbitrary code to run.
SQL Server prompts you for a password after you install MS03-031: Cumulative security patch for SQL Server
After you install "MS03-031: Cumulative Security Patch for SQL
Server", when you make changes to a standard SQL Server login by using
Enterprise Manager, SQL Server prompts you for a password, even if you did not
change the password. If you did not change the password, you cannot
successfully close the dialog box, regardless of the entry that you use. To
resolve or avoid this problem, download and use the fix that is in the
following Microsoft Knowledge Base article:
826161 FIX: You are prompted for password confirmation after you change a standard SQL Server login
MORE INFORMATION
Important notes
Read these important notes about the installation of this patch on
a computer that is running SQL Server 2000 SP3.
Universal Description, Discovery, and Integration (UDDI) services
If you install this security patch on a computer that is running
Microsoft Windows Server 2003, and UDDI Services is installed, you must take
one of two actions to restart UDDI Services, depending on your circumstances.
The UDDI Services will not resume normal functioning until you do.
- If no other Web service is in use on the computer that is
running Windows Server 2003, you can restart the UDDI Services by restarting
Microsoft Internet Information Services (IIS). Restarting IIS is the same as
first stopping IIS, and then starting it again, except it is done with a single
command. There are two ways to restart IIS:
- Use the IIS Manager graphical user
interface.
- Use the IISReset command-line utility.
- If other Web services are in use on the computer that is
running Windows Server 2003, you may not want to affect their operation. To
restart the UDDI Services, follow these steps:
- Start the IIS Manager utility.
- Locate the Application Pools folder, and then right-click the MSUDDIAppPool icon.
- Click to select the Recycle menu
option. Doing so will allow UDDI Services to resume operation without affecting
any other Web service on the computer.
An error message occurs when you connect to a Microsoft Windows NT 4.0-based computer by using named pipes
When you connect to a Windows NT 4.0-based computer that is
running Microsoft SQL Server 2000 by using named pipes, and that connection is
made by a non-admin user, you may receive an error message similar to one of
the following:
Message 1Connection could not be established.
SQL Server does not exist
Message 2 Connection could not be established. Access
is denied.
To obtain a hotfix to resolve this error message, see the
following article in the Microsoft Knowledge Base:
823492 "Connection could not be established" error message when you connect to a Windows NT 4.0-based computer that is running SQL Server 2000 or SQL Server 7.0
Download information
The
following file is available for download from the Microsoft Download
Center:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9814AE9D-BD44-40C5-ADD3-B8C99618E68D
Release Date: 23 July
2003
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
This security patch requires SQL Server 2000 Service Pack 3 (SP3)
or Service Pack 3a (SP3a). Microsoft recommends SQL Server 2000 Service Pack
3a.
For additional information, click the following article number
to view the article in the Microsoft Knowledge Base:
290211
How to obtain the latest SQL Server 2000 service pack
If you have not installed the security patch for Microsoft
Security Bulletin MS03-031, download and use the file that is available in the
following Microsoft Knowledge Base article:
826161 FIX: You are prompted for password confirmation after you change a standard SQL Server login
Installation information
This security patch supports the following Setup switches.
| Switch | Description |
| s | Disables the Self Extraction progress dialog box. Must come before the /a switch. |
| /a | This parameter must come before all parameters except /s if you are running the hotfix by using the self-extracting EXE,
and you want to include parameters for unattended installations. This is a
mandatory parameter for the installer to run in the unattended mode. |
| /q | This switch causes the Setup program to run in silent
mode with no user interface. |
| INSTANCENAME | Name of the instance of SQL Server. You
must enter it as follows:
INSTANCENAME=yourinstancename |
| BLANKSAPWD | Means a blank sa password for SQL Authentication. If you enter this parameter on
computers that are running Microsoft Windows NT or Microsoft Windows 2000, the
default Windows Authentication logon is overridden and it tries to log on with
a blank sa password. The correct format for this parameter is
BLANKSAPWD=1. This parameter is recognized only for
unattended installations. |
| SAPWD | Non-blank sa password. If you enter this parameter, it must be in the form
of SAPWD=yoursapassword. This
parameter overrides the default Windows Authentication on computers that are
running Windows NT or Windows 2000, or BLANKSAPWD, if entered. |
For additional information, click the
following article number to view the article in the Microsoft Knowledge Base:
330391
SQL Server hotfix installer
Restart requirement
You do not have to restart your computer after you apply this
security patch unless the hotfix installer prompts you to.
Removal information
The removal of this patch is not supported unless certain catalogs
were backed up before the installation of this security patch. For more
information, see the "How to Remove or Rollback the Hotfix" section in the
following Microsoft Knowledge Base article:
330391 SQL Server hotfix installer
Security patch replacement information
This security patch does not replace any other SQL Server 2000
Service Pack 3 (SP3) security patches.
File information
The English version of this security patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the
Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
----------------------------------------------------------------------------
31-May-2003 18:45 2000.80.818.0 78,400 bytes Console.exe
25-Jun-2003 01:01 2000.80.818.0 33,340 bytes Dbmslpcn.dll
25-Apr-2003 02:12 786,432 bytes Distmdl.ldf
25-Apr-2003 02:12 2,359,296 bytes Distmdl.mdf
30-Jan-2003 01:55 180 bytes Drop_repl_hotfix.sql
07-Apr-2003 19:15 2000.80.801.0 1,557,052 bytes Dtsui.dll
24-Apr-2003 02:51 747,927 bytes Instdist.sql
03-May-2003 01:56 1,581 bytes Inst_repl_hotfix.sql
08-Feb-2003 06:40 2000.80.765.0 90,692 bytes Msgprox.dll
01-Apr-2003 02:07 1,873 bytes Odsole.sql
07-May-2000 07:04 1,873 bytes Odsole.sql
02-Apr-2003 21:48 2000.80.796.0 57,904 bytes Osql.exe
02-Apr-2003 23:15 2000.80.797.0 279,104 bytes Pfutil80.dll
04-Apr-2003 21:27 1,083,467 bytes Replmerg.sql
04-Apr-2003 21:53 2000.80.798.0 221,768 bytes Replprov.dll
08-Feb-2003 06:40 2000.80.765.0 307,784 bytes Replrec.dll
05-May-2003 00:05 1,085,874 bytes Replsys.sql
31-May-2003 01:01 2000.80.818.0 492,096 bytes Semobj.dll
31-May-2003 18:27 2000.80.818.0 172,032 bytes Semobj.rll
29-May-2003 00:29 115,944 bytes Sp3_serv_uni.sql
01-Jun-2003 01:01 2000.80.818.0 4,215,360 bytes Sqldmo.dll
07-Apr-2003 17:44 25,172 bytes Sqldumper.exe
19-Mar-2003 18:20 2000.80.789.0 28,672 bytes Sqlevn70.rll
24-Apr-2003 05:39 2000.80.811.0 176,696 bytes Sqlmap70.dll
08-Feb-2003 06:40 2000.80.765.0 57,920 bytes Sqlrepss.dll
01-Jun-2003 01:02 2000.80.818.0 7,544,916 bytes Sqlservr.exe
01-Jun-2003 01:02 12,739,584 bytes Sqlservr.pdb
08-Feb-2003 06:40 2000.80.765.0 45,644 bytes Sqlvdi.dll
25-Jun-2003 01:01 2000.80.818.0 33,340 bytes Ssmslpcn.dll
01-Jun-2003 01:01 2000.80.818.0 82,492 bytes Ssnetlib.dll
01-Jun-2003 01:01 2000.80.818.0 25,148 bytes Ssnmpn70.dll
01-Jun-2003 01:01 2000.80.818.0 158,240 bytes Svrnetcn.dll
31-May-2003 18:59 2000.80.818.0 76,416 bytes Svrnetcn.exe
30-Apr-2003 23:52 2000.80.816.0 45,132 bytes Ums.dll
30-Apr-2003 23:52 132,096 bytes Ums.pdb
28-Feb-2003 01:34 2000.80.778.0 98,872 bytes Xpweb70.dll
Verification
To determine what version of SQL Server you are running, use the
information that is in the following Microsoft Knowledge Base
article:
321185 How to identify your SQL Server service pack version and edition
After you apply this security patch, run one of the following:
SELECT serverproperty('productversion') SELECT @@Version
The following should be returned: