No, not vulnerabilities in your code, but in Microsoft’s. Microsoft announced a round of GDRs yesterday that have an interesting set of bug fixes:
- Fixes a SQL injection vulnerability in a system stored procedure.
- Prevents logins with the ALTER ANY LOGIN permission from resetting the passwords of logins that have ALTER ANY LOGIN or IMPERSONATE ANY LOGIN permissions to avoid elevation of privilege.
- Prevents elevation of privilege by running SQL Agent job steps for built-in jobs with reduced permissions.
- Fixes a vulnerability that lets users who have access to certain stored procedures perform SQL injection and run arbitrary code by using elevated privileges.
No further details are available about the bugs in question, and I don’t blame Microsoft for not publishing it, either. Publishing details on any of these would allow The Bad Guys™ to cause Bad Things™ to the unpatched servers out there. Rather than being curious, get to patchin’ – all of the relevant pages have been updated on SQLServerUpdates.com with the new builds.
