Just a quick heads-up for those of you managing a SQL Server environment, it looks as though there is an important update for SQL Server versions 7.0, 2000 & 2005. Full details of bulletin MS08-040 are available on the Microsoft Security Bulletin Website – details are as follows (my emphasis):
This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
This security update is rated Important for supported releases of SQL Server 7.0, SQL Server 2000, SQL Server 2005, Microsoft Data Engine (MSDE) 1.0, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).
The security update addresses the vulnerabilities by modifying the way that SQL Server manages page reuse, allocating more memory for the convert function, validating on-disk files before loading them, and validating insert statements.
The hotfix will be installed automatically by Windows Update (as it has just done on my development machine); you may want to check it on a non-production environment first to ensure there are no unwanted side affects.