This month Microsoft released a rare patch for SQL Server. A Security Update to fix venerability within Reporting Services.
We'd urge you to check the bulletin list of susceptible candidate versions of SQL Server. Rather, since there are so many versions susceptible, scroll to the list of non-affected versions. If your install is listed here, breath easy. If not, this update's for you.
I installed and function tested the update on SQL 2008. It's straightforward and SQL Server needs a re-start to kick it in, which means an outage if you're applying this to a core business server.
This patch covers a venerability in Reporting Services. Through this loop-hole malicious code could elevate access privileges and gain control and cause some damage. The malicious code could be planted on a web site or in an advertisement. Looking innocent enough, it's the sort of thing anybody could trigger.
The link between an external web site or advertisement and your internal SQL Server is not spelled out in the MS documentation. However, Microsoft give this an "Important" rating, which means they know the threat exists. The patch software targets Reporting Services components, which implies; an environment with web based interfaces to Reporting Services would be at-risk.
Link to: Security Bulletin
Link to: Security Update
Securely yours,
Pete Q
We'd urge you to check the bulletin list of susceptible candidate versions of SQL Server. Rather, since there are so many versions susceptible, scroll to the list of non-affected versions. If your install is listed here, breath easy. If not, this update's for you.
I installed and function tested the update on SQL 2008. It's straightforward and SQL Server needs a re-start to kick it in, which means an outage if you're applying this to a core business server.
This patch covers a venerability in Reporting Services. Through this loop-hole malicious code could elevate access privileges and gain control and cause some damage. The malicious code could be planted on a web site or in an advertisement. Looking innocent enough, it's the sort of thing anybody could trigger.
The link between an external web site or advertisement and your internal SQL Server is not spelled out in the MS documentation. However, Microsoft give this an "Important" rating, which means they know the threat exists. The patch software targets Reporting Services components, which implies; an environment with web based interfaces to Reporting Services would be at-risk.
Link to: Security Bulletin
Link to: Security Update
Securely yours,
Pete Q