| CVE Number | Vulnerability | Product | Severity | Date |
|---|---|---|---|---|
| MS09-004 | Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) | SQL Server | Critical | 11-02-2009 |
Technical Information
Brief overview of the risk:
A remote code execution vulnerability exists in the way that SQL Server checks parameters in the “sp_replwritetovarbin” extended stored procedure.
Detailed Information on the risk:
The vulnerability could allow remote code execution if untrusted users have access to an affected system or if a SQL injection vulnerability exists on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Further information on this exploit is available at : MS09-004
Affected Software
SQL Server 2000 Service Pack 4SQL Server 2000 Itanium-based Edition Service Pack 4
SQL Server 2005 Service Pack 2
SQL Server 2005 x64 Edition Service Pack 2
SQL Server 2005 with SP2 for Itanium-based Systems
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 4
SQL Server 2005 Express Edition Service Pack 2
SQL Server 2005 Express Edition with Advanced Services Service Pack 2