THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

The Rambling DBA: Jonathan Kehayias

The random ramblings and rantings of frazzled SQL Server DBA

MS09-062 - Critical: Vulnerabilities in GDI+ Could Allow Remote Code Execution

Microsoft released a new Critical Security Bulletin that affects SQL Server today.

http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx

If you haven't ever actually looked at one of these, let me first tell you that you can expect to be completely confused by it.  The last update like this for SQL Server out of band created more than its share of Forums questions.  To make it easier to understand which download you need to get, let me highlight a often overlooked section:

image

 

If you scroll all the way down the page, there is an expandable Frequently Asked Questions (FAQ) Related to This Security Update section:

image 

 

If you expand this section it makes it easier to tell which patch you need to download and apply:

 

image

 

To get your version information run SELECT @@VERSION while logged into your server.  Then download the appropriate file and patch your SQL Server instance.  Expect that this will be just like a service pack install and an outage will be required.  In addition, if you are one of those people that has SQL Server disabled, if this patch gets picked up by Windows Update, it will fail to install because part of the install process is to stop then start SQL Server.  This created a problem for a number of people with the last update like this one.

Published Tuesday, October 13, 2009 6:01 PM by Jonathan Kehayias
Filed under:

Comments

 

Chris Wood said:

Jonathan,

I am trying to get some real information on this security patch for SQL2005. It seems to be a Reporting Services bug that only needs an SQL2005 build upgrade when you are running on Windows 2000. Am I reading this bulletin correctly?

Thanks

Chris

October 13, 2009 6:16 PM
 

Chris Wood said:

Jonathan,

The bulletin seems to imply that only Windows 2000 SP4 clients and servers are definitely in need of the SQL patch. I have also seen this blog post http://blogs.technet.com/srd/archive/2009/10/12/new-attack-surface-reduction-feature-in-gdi.aspx that talks about reducing the filetypes that get parsed.

So if you are not running Windows 2000 is applying the SQL2005 patch overkill?

Thanks

Chris

October 14, 2009 12:50 PM
 

Chris Wood said:

Just thought I would add these links to blog entries that help to explain how this security problem affects Reporting Services.

http://blogs.msdn.com/psssql/archive/2009/10/15/reporting-services-and-the-ms09-062-gdr-gdi.aspx

http://blogs.msdn.com/brianhartman/archive/2009/10/13/gdi-updated-again.aspx

The CSS SQL Server Engineers blog has got to be one of the best for technical information.

Chris

October 15, 2009 2:43 PM
 

jerryhung said:

Ha, just installed the SP3 and 2 patches today

Notes

- they took quite a while (2 patches took about 30 minutes total)

- You need to start the installer on the Active node of the cluster, and it'll stop the cluster service for you

My SQL version is now

Microsoft SQL Server 2005 - 9.00.4262.00 (X64)

October 15, 2009 3:38 PM
 

Reinaldo said:

I had the same question as the hotfix released last year back in Oct 2008 was only for Reporting Services 2000 and SSRS 2005. This 1 includes fixes to the engine also. I'm asked our Microsoft dedicated support and he confirmed that for SQL 2005, you need to install this patch to all servers running SQL 2005 engine.

October 18, 2009 11:43 PM
 

Aaron Bertrand said:

Some new updates just posted by SQL Server Release Services: For SQL Server 2005 SP2, build 9.0.3355:

October 20, 2009 11:31 AM
Anonymous comments are disabled

This Blog

Syndication

Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement